The Information Commissioner's Office (ICO, stylised as "ico.") is the independent regulatory office dealing with data protection and privacy issues in the UK. It is sponsored by the Ministry of Justice. In 2011/12 it employed 350 people, dealt with 12,985 cases concerning data protection, 7095 concerning privacy and electronic communications regulations, 4633 concerning freedom of information, and conducted 15 prosecutions. It has a budget for 2012/13 of £19,695,100. The current Information Commissioner and Chief Executive of ICO is Christopher Graham.
All organisations that process personal information must register with the ICO in accordance with the Data Protection Act, with exemptions only for organisations that do very simple processing.
The ICO is responsible for and enforces:
- Data Protection Act 1998
- Freedom of Information Act 2000
- The Privacy and Electronic Communications (EC Directive) Regulations 2003
- The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011
- Environmental Information Regulations 2004
- INSPIRE Regulations 2009
The ICO has a number of tools at its disposal in order to achieve its aims and ensure compliance. Amongst these it has the ability to:
- Serve Information Notices - to request specified information to be provided to the ICO in a set time period
- Issue undertakings - commit organisations to taking steps to improve data protection practices
- Serve enforcement notices, 'stop now' orders - to require organisations where there has been a breach to take steps to come into compliance with the law
- Conduct assessments/audits - to assess the practices of organisations, both voluntarily and compulsorily (for data protection purposes)
- Issue monetary penalty notices - to require organisations up to £500,000 for serious breaches, as of 2010 onwards
- Prosecute criminal offences
- Report to parliament matters of concern
Notable Recent Cases
Southampton Intra-Taxi Surveillance
Following pressure from civil liberties group Big Brother Watch, Southampton Council was in July 2012 ordered to cease recording audio and video of conversations in taxis. The council has until 1st of November to comply with the enforcement notice, and is appealing the decision. The policy is defended on the grounds that it is a necessery measure to ensure the safety of both drivers and passengers, but Christopher Graham argued that it violated the reasonable expectation of privacy of both passengers and drivers. A similar scheme was proposed in Oxford in 2011, which again was dropped after opposition from Big Brother Watch.
Tesco Security Failings
The ICO is as of August 2012 making enquiries with Tesco as to its alleged improper handling and storage of online customers' data; these include potentially storing user passwords in plaintext (as opposed to securely encrypting them) and their use of severely out-dated software. The problems came to light after investigation by blogger Troy Hunt.
Local Authority Violations
In February 2012, the ICO found that 5 local authorities - Basingstoke & Deane, Brighton & Hove, Dacorum, Bolton and Craven District Council - were in breach of the Data Protection Act by failing to protect personal information. They have since given commitments to ensure all data stored remains secure, and that portable devices containing personal information will be encrypted.
Devon Torbay Care Trust Security Breach
The ICO handed down a £175,000 fine in August 2012 to the Devon Torbay Care Trust, after it published online the personal details of more than 1,000 staff members. It was unintentionally published online in the form of a spreadsheet, and was accessed 300 times in the five months that it remained up before the authorities were notified of its existence by a member of the public.
Sony PlayStation Network intrusion
The Information Commissioner's Office has come under considerable criticism for what is perceived to be its inadequate enforcement of the Data Protection Act, itself held to be a flawed piece of legislation. For more information, see Data Protection Act#Criticism. See also UK Cookie Law recommendations.
- Crap security lands Sony £250k fine for PlayStation Network hack, 2013-01-24
- Dear ICO: disclose Sony’s hash algorithm!, 2013-01-24, Light Blue Touchpaper