The Information Commissioner’s Office has invited comments on a draft policy setting out its approach to taking action against those who have breached the legislation it enforces. The Campaign’s response states:
“Although the draft Regulatory Action Policy purports to address the ICO’s policy in relation to all the legislation it enforces, the focus on data protection, and nothing else, is overwhelming. The document gives the impression that all other issues, including freedom of information, have been squeezed off the ICO’s agenda altogether.
For example, the proposed approach to the use of Enforcement Notices is expressly described in terms of enforcement notices under the Data Protection Act, though enforcement notices can also be issued under the FOI Act. There is a reference to their potential use in relation to ‘information rights obligations’ but each of the specific examples cited on pages 20-21 relates to a DP issue. The case for using an enforcement notice to deal with some authorities’ chronic failure to respond to FOI requests until months after the statutory deadline, is not mentioned. Yet perversely, the document suggests that an enforcement notice may be required to deal with ‘repeatedly delayed subject access requests’.
For 2018-19, eight ‘regulatory priorities’ are described, every one of which involves a data protection issue. No FOI issue is seen as a ‘priority’, indicating the extent to which the ICO’s attention has been captured by data protection. The document states that this list of priorities will determine the allocation of the ICO’s resources.
The ICO appears to be retreating from its ‘Information Commissioner’ role towards its pre-FOI status as the ‘Data Protection Commissioner’. We urge it to resist this highly retrograde step.”