What’s the common thread among these news? The Information Commissioner’s Office (ICO) is supposed to take action against these infringements, but it looks like they have other plans: after pausing their investigation into the adtech sector, they finally seem to have pulled the brake entirely, blaming the Coronavirus crisis.
Open Rights Group (ORG) is deeply worried by the ICO’s recent developments: the unprecedented use of sensitive data and intrusive technologies we are facing demands closer scrutiny by our privacy watchdog, and we see no reason to give up on old issues either. This is why we have written to the Digital, Culture, Media and Sports Committee (DCMS), outlining how Covid-19 is impacting an already feeble regulator, and asking the Committee to take action.
ICO seems to have renounced their investigatory powers
The ICO response to Covid-19 reads in plain English that they have stood down their audit work. This deprives the ICO of one of their two investigative means (compulsory audits), and significantly weakens the other (written inquiries). Indeed, by shouting to the world that they will not conduct on-site investigations, it is likely that non compliant organisations may very well lie or omit facts to the ICO, as nobody will check.
On top of that, the ICO has repeatedly tweeted about how they won’t take action against certain infringements (for instance, see here and here), and has stated to some complainants that they won’t take forward any complaints at all.
ICO shut down has no parallel at other government agencies
Although we understand the need for a regulatory agency to reassess its priorities in times of crisis, we find no excuse for ICO’s anomalous policy, even in a comparison with other Governmental agencies.
We looked at 14 UK public authorities, agencies or bodies, and 12 European Data Protection Authorities (DPAs). In stark contrast with the ICO, everyone is pretty much keeping up with their job, while European DPAs seems to be increasing rather than halting their activities.
One example? In France, their DPA has not only supervised the development of their contact tracing app all long the way, but they also have compelled their government to enshrine certain safeguards in primary legislation.
ICO is failing to ensure that our data is treated with respect
Unfortunately, we find the ICO’s behaviour is having tangible consequences in the unfolding of the COVID-19 crisis. For instance:
- A contact tracing company which will be involved in the test and trace system, has been responsible of a data breach, yet they have publicly refused to refer the incident to the ICO (despite the law compelling them to do so).
- The NHSX is deliberately exposing users of the Isle of Wight to serious security flaws, which were “compromises in the name of timeliness” by the admission of the National Cyber Security Centre.
Despite the privacy-themed Rocky Horror Show which is unfolding before them, the ICO seems to be sleeping on their feet. Indeed, we have no news concerning Serco being under investigation for their blatant infringement of the law, and the ICO has openly refused to keep the NHSX accountable for their failure to submit their (contact tracing app) DPIA for review, despite the residual risks which have not been mitigated.
We have asked the DCMS to invite the ICO to a hearing, and have them explain how they are planning to catch up with a situation which is obviously out of control. On top of that, ORG won’t give up challenging Government responses which do not meet legal and privacy standards.