MPs tell ICO to ‘stop sitting on its hands’ and act on government data-protection lapses
Cross-party group of parliamentarians issues challenge to regulator
Credit: Adobe Stock
A cross-party group of MPs has written to the Information Commissioner’s Office to warn the regulator that it needs to start holding to account a government that has paid “scant regard to both privacy concerns and data-protection duties” during the coronavirus crisis.
The collection of 22 parliamentarians has contacted commissioner Elizabeth Denham to express their concerns over what they see as a lack of regard for data-protection displayed by the government in its pandemic-response efforts.
Among the issues identified in the letter is allowing “private contractors with problematic reputations” to process sensitive data, and the creation of a data store the MPs claim is “of unproven benefit”.
“Most recently, the government has admitted breaching their data protection obligations by failing to conduct an impact assessment prior to the launch of their Test and Trace programme,” the MPs wrote. “They have only acknowledged this failing in the face of a threat of legal action by Open Rights Group. The government have highlighted your role at every turn, citing you as an advisor looking at the detail of their work, and using you to justify their actions.”
The letter, which was co-signed by representatives of Labour, the Scottish National Party, the Liberal Democrats, and the Green Party, also accused health secretary Matt Hancock of showing “disregard for data protection safeguards”, and of failing to understand the requirements for data-protection impact assessments in respect of the Test and Trace scheme.
“On Monday 20 July [Hancock said to] parliament that ‘I will not be held back by bureaucracy’ and claimed, against the stated position of the government’s own legal service, that three DPIAs covered ‘all of the necessary’,” the letter said.
- How secure is government and should we have a right to know?
- Whitehall departments reported 500 personal data breaches to ICO in FY20
- How Brexit Britain could become a surveillance state
The MPs reminded Denham that her office retains the power to compel information from the government, as well as to mandate changes in practices – or even issue fines.
“Parliamentarians and the public need to be able to rely on the regulator,” they said. “However, the government not only appears unwilling to understand its legal duties, it also seems to lack any sense that it needs your advice, except as a shield against criticism. Regarding Test and Trace, it is imperative that you take action to establish public confidence – a trusted system is critical to protecting public health.”
Jim Killock, executive director of digital rights campaign body the Open Rights Group, which published the letter, said that the regulator’s accommodating approach in recent months showed that “there is something rotten at the heart of the ICO”. He warned the data-protection watchdog that, unless it took action soon, it risks being disbanded in the same manner as Public Health England.
“The ICO is a public body, funded by the taxpayers, and accountable to parliament. They must now sit up, listen, and act,” he said. “As a regulator, ICO must ensure that the government upholds the law. They must heed the lessons from what’s happened to Public Health England. The only way to avoid that fate is to enforce the law and discharge their legal responsibility properly.”
'Fast and loose'
Liberal Democrat spokesperson for digital, culture, media and sport Daisy Cooper said that, during the coronavirus crisis, the government has “played fast and loose with data protection measures that keep people safe”.
“The public needs a data regulator with teeth,” she added. “The ICO must stop sitting on its hands and start using its powers – to assess what needs to change and enforce those changes – to ensure that the government is using people’s data safely and legally.”
Another signatory, Labour MP Clive Lewis, said that, in order “to avoid a wider breakdown in trust”, the regulator must launch an investigation into government’s approach to data protection in order.
Green MP Caroline Lucas also warned of the loss of public confidence in the Test and Trace scheme.
“There must be an assessment of the risk of data leaks and measures put in place to prevent them,” she added.
John Nicholson, SNP’s representative for DCMS matters, said: “This government is currently envisaging further changes to the Test and Trace programme. We desperately need the ICO to enforce the law. A weak regulator failing to hold the government to account risks the health and safety of people in Scotland and whole of the UK. Failure to deal with privacy concerns endangers public health. The government and the ICO both need to take this very seriously.”
"There is something rotten at the heart of the ICO that makes them tolerate government’s unlawful behavior... they must now sit up, listen, and act."
Jim Killock, Open Rights Group
In response to the letter, an ICO spokesperson said: “Our regulatory obligations include advising as well as supervising the work of data controllers. Our approach during the pandemic has been to provide advice on the data protection implications of a number of initiatives by the UK government, the NHS, local councils and private sector organisations to respond to the public health crisis.
“We understand and recognise the government and other organisations had to act quickly do deal with the national health emergency, and we have explained their data protection obligations and provided guidance and expertise at pace to them. We have published much of this work so there is transparency, and will audit and investigate arrangements where necessary to ensure people’s information rights are upheld.
“We will continue to uphold people’s information rights, and we will act where our advice is not followed and where we find serious, systemic or negligent behaviour that puts people’s protections at risk.”
Lord Evans tells MPs that personal messaging platforms should only be used by ministers if doing so can be properly regulated
Digital and data once again had a starring role in supporting – and, occasionally, hampering – government’s work this year. PublicTechnology looks back at the most significant events.
Improvements to pass system will attempt to address ‘potential security vulnerability’
Regulator updates guidance after introduction of new measures