ICO: 'Government should not appoint our CEO'

Regulator responds to the DCMS's consultation on data protection laws

The Information Commissioner's Office (ICO) has published a response to a consultation by the Department for Culture, Media and Sport (DCMS) Data: A new direction which looks at data protection regulations post-Brexit.

In its response, the regulator finds the consultation to be something of a curates' egg, good in parts, a little unsavoury in others - and occasionally rotten.

In the foreword, outgoing Information Commissioner Elizabeth Denham says: "It is important government ensures the UK is fit for the future and able to play a leading role in the global digital economy. I therefore support this review and the intent behind it."

However, she adds: "As the proposals are developed, the devil will be in the detail."

One of the details most strongly opposed by the ICO is the DCMS's proposal to directly appoint the regulator's CEO.

"For the future ICO to be able to hold government to account, it is vital its governance model preserves its independence and is workable, within the context of the framework set by Parliament and with effective accountability," Denham writes.

"The current proposals for the Secretary of State to approve ICO guidance and to appoint the CEO do not sufficiently safeguard this independence."

On the other hand, given the scope of its brief, she welcomed the move to beef up the governance model of the data regulator.

"A statutory supervisory board with separate Chair and CEO will be better suited to the ICO's role as a whole economy and public sector regulator with extensive domestic and international responsibilities."

Denham says a strong, independent regulator is important in how the UK is seen globally, noting: "Innovation is enabled, not threatened, by high data protection standards."

The ICO also welcomes proposals to make it simpler for organisations to comply with the regulations, but urges caution against tipping the balance too far the other way. Cookie banners, for example, cause opt-out fatigue and should be simpler, but removing prior consent for all types of cookies is not the answer, it says.

Similarly, the regulator welcomes the review of GDPR Article 22, which covers the right of individuals not to be subject to a decision based solely on automated processing, in that it may provide more clarity and guidance, but is adamant it should not be removed from the UK's data protection legislation, as the government apparently desires.

"We do not agree with the Taskforce on Innovation, Growth and Regulatory Reform that the right to human review should be removed. Having the right to human review of decisions that can fundamentally affect our lives has been part of data protection law for many years, including prior to the GDPR."

A better approach, it says, would be to consider how to improve accountability, fairness and transparency of AI.

The government also proposes to remove the requirement for medium and large firms to employ a data protection officer (DPO).

The ICO agrees the current requirements are ‘overly prescriptive, but says,"it is important that the independent advice, skills, leadership and links to board level governance brought by DPOs are not lost as a result of any changes."

And on legitimate interests, where organisations can apply to process personal data on legal grounds, and where the government proposes to simplify compliance, the ICO warns against simplifying too far, to the detriment of the citizen.

"We are concerned that as currently set out in the consultation, the types of processing are too broad to provide the necessary certainty."

Elizabeth Denham is set to be succeeded in her role by John Edwards, who held an equivalent position in New Zealand.