The UK’s data protection regulator hasn’t done enough to stop the government from disregarding fundamental privacy rights during the pandemic, a cross-party group of 20 opposition MPs has said.
The claims come in a letter sent to Elizabeth Denham, the head of the Information Commissioner’s Office (ICO), with the MPs saying more proactive enforcement of the Data Protection Act, which is based upon Europe’s General Data Protection Regulation (GDPR), is needed.
“Parliamentarians and the public need to be able to rely on the regulator,” the MPs write in the letter. They go on to say there have been numerous data protection issues during the pandemic – such as those around the legal failings of the Test and Trace scheme and wider issues with the contact tracing app – and suggest the ICO should have taken stronger action against any government missteps.
“The government have highlighted your role at every turn, citing you as an advisor looking at the detail of their work, and using you to justify their actions,” the letter says. The document has been signed by Labour, Liberal Democrat, SNP and Green MPs. No Conservative MPs are included.
The letter comes at a time when the ICO is facing increased public scrutiny. An audit of the regulator recently graded some of its work as only “adequate” and a freedom of information request revealed that Denham has been working remotely in her native Canada for personal reasons for the last two months. The west coast of Canada, where Denham is currently based, is eight hours behind the UK, creating a big time gap between Denham and the rest of the ICO’s staff.
“The public needs a data regulator with teeth. The ICO must stop sitting on its hands and start using its powers – to assess what needs to change and enforce those changes – to ensure that the government is using people’s data safely and legally,” Liberal Democrat MP Daisy Cooper said in a statement alongside the letter. Also included on the letter are Labour MPs Clive Lewis and John McDonnell, Caroline Lucas from the Green Party and Tommy Sheppard from the SNP.
“Privacy is fundamental to trust,” Lewis said in a statement. “The ICO must investigate and force the Government to fix the problems, to avoid a wider breakdown in trust.”
The ICO has a crucial role in how data is used and processed in the UK. It is responsible for regulating data protection issues as well as people’s rights under the Freedom of Information Act and the Privacy and Electronic Communications Regulations, which govern the use of inappropriate calls, texts and emails for marketing purposes.
It has the power to fine organisations that are found in breach of data protection regulations or marketing communications abuses. GDPR provides the potential for huge fines to be issued. However, the ICO, like many data protection regulators across Europe, has issued very few fines under GDPR since it came into force in May 2018.
“Our regulatory obligations include advising as well as supervising the work of data controllers,” says an ICO spokesperson. The ICO says it plans to respond to the MPs in due course. “Our approach during the pandemic has been to provide advice on the data protection implications of a number of initiatives by the UK government, the NHS, local councils and private sector organisations to respond to the public health crisis.”
The ICO says that it recognises the government and other organisations had to quickly respond to the pandemic. “We have explained their data protection obligations and provided guidance and expertise at pace to them,” the spokesperson says. “We have published much of this work so there is transparency, and will audit and investigate arrangements where necessary to ensure people’s information rights are upheld.
“We will continue to uphold people’s information rights, and we will act where our advice is not followed and where we find serious, systemic or negligent behaviour that puts people’s protections at risk.”
The letter, which has been co-ordinated by privacy organisation the Open Rights Group, comes at a challenging time for the ICO. During the pandemic, it paused its work on some new and ongoing data protection cases. An investigation into the advertising technology used by Facebook and Google, which follows people around the web and collects information about them, was paused, in part not to put “undue pressure on any industry”.
Critics of the ICO claim it should use its enforcement powers or risk organisations becoming complacent about data protection. “The government will just break the law and take risks unless it feels there are consequences,” says Jim Killock, executive director of Open Rights Group. “If the data protection authority is being slack and not bringing problems to the public’s attention, then the government feels no cost and it simply won’t improve its behaviour.”
Within the letter, the MPs highlight personal data issues raised by the pandemic. They highlight how the Test and Trace scheme failed to launch after a mandatory data risk assessment (DPIA) had been conducted, with the government subsequently admitting it was unlawful. The MPs also highlighted concerns around the contract tracing app. “It chose to build a contact tracing proximity app that centralised and stored more data than was necessary, without sufficient safeguards, as highlighted by the Human Rights Committee,” the letter says.
The ICO has been involved throughout these processes, providing advice to the government. “I have told the government that they need to be transparent to the public,” Denham told the Human Rights Committee in an evidence session in May. She added the ICO could be a “critical friend”.
However, the ICO should take action to make sure people trust the Test and Trace system, the letter says. “ICO action is urgently required for Parliament and the public to have confidence that their data is being treated safely and legally, in the current Covid-19 pandemic and beyond,” the MPs write.
During the pandemic the ICO has been publishing information that can help businesses with data protection issues. For instance, it has provided advice for businesses on how to properly collect people’s data for contact tracing, published information about accessing sensitive healthcare data, and advice about ensuring data security when people have been working from home.
“We have published clear guidance on how we would regulate through this period, and committed to utilising the flexibility that the law offers for these unique times,” Denham wrote in the ICO’s 2019/2020 annual report (PDF) annual report. “And we have engaged positively with government and health authorities looking to use innovative approaches to reduce the impact of coronavirus.”
Beyond data protection issues during coronavirus, there are wider questions about the ability for data protection regulators across Europe to enforce the requirements of GDPR. Internet rights group Access Now published a report on GDPR’s second anniversary in May saying that there has been “weak” overall enforcement of the regulation.
The report stated that from May 2018 to March 2020 there had been 231 GDPR fines and sanctions, while there had been more than 144,000 complaints made in just 12 months. GDPR-related cases can be complex and messy and are likely to take a long time to resolve. GDPR action against Twitter is currently being held-up as regulators can’t decide how they should be dealt with.
The ICO has issued one GDPR fine: Doorstep Dispensaree, a London-based pharmacy, was fined £275,000 in December 2019. The ICO announced two other notices of intent for fines but they have not yet materialised.
It planned to fine British Airways £180 million for its 2018 data breach and Marriott Hotels £99m another data breach in 2018. Both planned fines were announced in July 2019 but neither have been paid. The fined companies have challenged the ICO’s decision and negotiations are ongoing – this month British Airways’ financial results stated it had set aside £20m for the GDPR fine. The airline has been dealt a major financial blow by the pandemic and the ICO has said the “regulatory process is ongoing”.
Access Now’s GDPR report stated that many data protection regulators across Europe don’t feel they are provided with enough resources to tackle the growing amount of data issues. The ICO likely falls into this bracket. For all of its work over the next year it has a budget of £61m – this includes staffing and all of the work it has to complete, which is often legally complex and costly.
“The ICO’s lack of data protection and FOI enforcement, as well as its lack of scrutiny over internal privacy issues, cannot be down to funding alone, because we are now seeing other government bodies on equally tight budgets taking up the slack,” says Heather Burns, a tech policy specialist and privacy advocate. Burns cites the Competition and Markets Authority’s report into ad-tech and the Behavioural Insights Team’s guide to creating clearer privacy policies.
And there’s another looming issue that the ICO and government have to handle. Brexit data sharing. The government is pushing for an adequacy decision from the European Union, meaning it would be deemed safe for data to be transferred. But these decisions aren’t easy to obtain and the time for a Brexit agreement is running out.
“A data protection regulator which is present, accounted for, and doing its job will be central to achieving that adequacy ruling, as well as to the success of our forthcoming National Data Strategy,” Burns says. She believes that parliament should scrutinise the role and effectiveness of the ICO when it next resumes. “It quite simply beggars belief that both our domestic and international tech policy strategies are now being put at risk through a single point of failure.”
Matt Burgess is WIRED’s deputy digital editor. He tweets from @mattburgess1
More great stories from WIRED
🚅 Night trains are brilliant. So why doesn’t the UK have any to Europe?
💉 The race is on to create a vaccine. This mRNA coronavirus vaccine is two breakthroughs in one
🎧 Need some peace? These are the best noise-cancelling headphones in 2020
🔊 Listen to The WIRED Podcast, the week in science, technology and culture, delivered every Friday
👉 Follow WIRED on Twitter, Instagram, Facebook and LinkedIn