The DPDI Bill will make it harder for people to get justice from the ICO

The Data Protection and Digital Information (DPDI) Bill will harm the independence of the Information Commissioner’s Office (ICO) and make it harder for people to get justice when they experience data protection abuses, warns Open Rights Group.

The ICO already has a poor record on enforcement. In the year 2023/24, aside from fining TikTok for data protection breaches, it has only issued fines to the private sector in relation to spam emails and cold calling. It has only issued one fine to a public sector department – the Ministry of Defence – for an email error that “could have resulted in a threat to life” of 265 Afghan interpreters. The ICO reduced the initial fine of £1 million to £350,000 or approximately £1,000 for each life that could have been lost. The ICO did not fine other public sector organisations, including police forces that exposed witness data, a Council whose disclosure put a mother and child at risk, and the Ministry of Justice after four bags of confidential waste were found in an unsecured holding area in the prison, which both prisoners and staff had access to. Instead, it issued reprimands, or in a few cases, enforcement orders.

ORG has also heard about the individual experiences of complainants that demonstrate the human impact and hurt that is caused when cases raised by the public are left unresolved.

Provisions within the Bill, which returns to parliament on March 20, could further weaken the ability of the data regulator to operate independently of government and protect our data rights.

The ICO exists to protect our data and information rights, and this includes investigating issues and problems that are raised with members of the public. ORG asked our supporters about their personal experiences of the ICO. We received dozens of responses where people felt that the ICO had failed them, two of which are included below.

As well as undermining the independence of the ICO, the DPDI Bill shifts power over our data to companies and governments. If it passes, the public will have less control over our data and less recourse when things go wrong. Parliament needs to ensure we have a strong, independent ICO which will stand up to corporations, organisations and government departments who are misusing our data and disrespecting our data rights.

Amendments to the DPDI Bill

ORG is calling for the Government to back amendments put forward in the House of Lords, which will:

• clarify the statutory objective of the new Information Commission;

• safeguard its independence from the Government;

• ensure the ICO has an obligation to consider all complaints raised by members of the public;

• protect the Information Commission from cronyism and undue corporate influence;

• allow effective judicial scrutiny of the new Information Commission regulatory function;

• allow not-for-profit organisations to lodge representative complaints;

• and retain the Office of the Biometrics and Surveillance Camera Commissioner.

Case studies

Julie James, Office Administrator
Family need information for closure over her father’s death

“I submitted a freedom of information (FOI) request and a subject access request (SAR) to a hospital trust in 2016 to try to get answers regarding my father’s safety, care and treatment. I also wanted to know about the factors that led up to his avoidable death after being admitted into hospital for abdominal pain and receiving a diagnosis of constipation in 2012. I got no response from the hospital on either requests so I contacted the ICO.

“They eventually replied and agreed that the hospital had breached my data protection rights and informed me they were going to do an investigation into my complaint. This was in about 2019 but I still haven’t heard anything from them since about the outcome of the investigation or their actions against the hospital

My family and I need answers to questions that will give us closure about what happened to my father when he was in the care of the hospital. At one point he was on a rehabilitation progress with a plan to move to a rehabilitation ward before returning home. My family have been left in limbo with unanswered questions from the hospital and no communication from the ICO to say whether an investigation was actually carried out. My family and I still struggle with this and can’t help feel that a cover up has gone on with both the hospital and ICO, which makes us angry and has created trust issues with all medical professionals.”

• ORG is particularly worried by this account, as the ICO does not appear to have recognised the importance of personal data access regarding potentially significant cases of institutional failure, in this case within health care.

Martin Goose
ICO failed to address bad data practices by professional body

Back in 2018/2019 I became increasingly concerned about the out of date security of my professional body’s Internet facing membership servers. After extensive discussions with them, where I offered technical evidence and GDPR law, I asked that they remove my personal data. They did so and expelled me. As the sole professional body for my profession outside the USA this was major impediment to my ability to practice my profession. I complained to the ICO in a 4 page document outlining my case.

The ICO simply required the organisation to produce an action plan (which they refused subsequently to disclose to me for possible private legal action) to prevent a recurrence. One of their emails to me stated “The Information Commissioner does not act on behalf of individuals …”. As a former regulator this seems outrageous.

They did nothing to cause the professional body to acknowledge their unreasonable and possibly illegal treatment of me. I felt that when compared with my former employer the Health and Safety Executive, the ICO were pretty toothless, sided with the organisation complained against, and were only interested easy wins. The loss of my professional qualifications reduced my ability to earn a living!“

• ORG is particularly worried by this account, as it implies the ICO did not understand that the professional body had acted to punish someone responsibly disclosing security issues. Failure to fine the organisation means that other bodies are not incentivised to behave rationally and sensibly, discouraging people to speak up when they encounter dangerous situations.