“How to write a suicidal job application?” or “How not to become a member of the Information Commission”

Last June, I applied to become a Non-Executive Member of the new Information Commission; there were seven places up for grabs.  My application has been turned down without an interview – so clearly I am NBG as far as HMG is concerned.

I knew that my application was unlikely to be successful, but just in case I made the cut, my application was based on the following observations made in my application:

• I have been in data protection for forty years, and probably know more about the UK’s data protection regime than most candidates applying the position of Non-Executive Member.
• I had the knowledge to challenge what the Commission’s Executive Members were proposing,  and to ask the difficult question before a data protection policy became public.
• One of the Non-Executive Members of the Commission should be tasked with looking out for the interests of data subjects (e.g. me).
• The current ICO has lost the trust of many NGOs and academics who work in the privacy space (witness the recent letter organised by the Open Rights Group).  I was in a position to mend fences and build bridges.
• The current ICO has usurped the role of Parliament in deciding on its public policy towards enforcement, especially in the public sector.
• Ministers exploit their special position as controllers as they are responsible for the largest controllers in the UK (e.g. HMRC, Defence, PNC, Passports, DVLA etc). They can also enact secondary legislation that defines their Departmental processing as being lawful.  As such, their political responsibilities for Departmental processing, and their political objectives, are likely to conflict (and override) the privacy interests of data subjects.
• Ministers have fettered the Information Commission/ICO when enforcing the data protection regime.  For example, the Human Rights Commission has joined the Judicial Review in relation to the use of facial recognition CCTV by the Metropolitan Police (expected in January). By contrast, the ICO has not joined these proceedings, as if there were no privacy issues to resolve.  This could be because the ICO’s role of enforcing data protection is fettered by crime prevention considerations (as per Section 120B of the Data (Use and Access) Act [“DUAA”]).
• Ministers have reduced the effectiveness of the ICO by requiring the Office to report to a Government Department instead of reporting to Parliament (e.g. as the Parliamentary Ombudsman does).
• The Government have published some of the work I did for them on a voluntary basis (e.g. I was a member of PCAG which produced its “Identity assurance principles for building identity services in government” which has wholly been ignored by Government in its compulsory ID e-card; see references).

The Open Rights Group letter

Anyway, I thought it best to be explicit in my application on “what they were getting”.  This was to ensure, if I were to be appointed, my motives were unambiguously stated on my application.

Perhaps one can be too explicit?

At the time of my application in June, the letter from the Open Rights Group (published late November) was not a consideration (see references: although I am sympathetic to its text). This letter argues that the ICO’s decision not to use his enforcement powers when he could have done so, has undermined data protection compliance in general.

In my application, I argued that the ICO’s policy of a very light touch (verging on non-enforcement) of the public sector had no Parliamentary authority and that the ICO had no remit to establish public policy in an area which impacted on 55 million UK data subjects.

If the ICO was of the view that fining the public sector did not work, the ICO should have informed Parliament/Ministers of his conclusions and ask them determine an alternative approach to enforcement.  It is not the ICO’s job to independently determine such important public policy decisions.

In any event, the accompanying Open Rights Group’s Press Release shows how low the current ICO is regarded:

“After years of failing to hold public sector organisations to account, the failure of the ICO to investigate the most serious data breach in UK history [the MOD Afghan Breach] is the final straw. The ICO’s public sector approach must end before more people are harmed by data breaches at the hands of the government and public authorities.  A data regulator that fails to deter bad practices is not worth having“.

Usurping the role of Parliament

In my view, the current Commissioner by adopting his laissez-faire approach to enforcement (as described in the Open Rights letter) has usurped the role of Parliament; it’s as simple as that.

There are viable alternatives under the current DP law which have not been used by the ICO. For example, with the latest MOD Afghan data breach (which does not even qualify for a Reprimand from the ICO), the ICO could have served an Enforcement Notice.  I doubt whether the MOD would resist such a Notice as any Appeal would publicly reveal many of its other security lapses (e.g. through legal scrutiny and cross examination).

The impact of an Enforcement Notice would have the effect of requiring the MOD to change its procedures; failure to meet these requirements would risk attracting a monetary penalty.

Unlike a Penalty Notice (or Reprimand) which looks backwards to penalise a controller’s previous past, non-compliant, processing, an Enforcement Notice specifies what needs to be done, in future, to ensure compliant processing.

An Enforcement Notice is therefore a necessary safeguard that ensures a controller behaves properly in future.  The ICO, without any authority whatsoever, has unilaterally dispensed with this vital safeguard.

Just imagine; the police catch a recidivist burglar.  Do the police say “Hello naughty re-offender: you know burglary is a crime. Here is an oral warning (i.e. not even an official caution). But we do need you to promise not to do it again?”.  What do you think the Daily Mail would make of that?

This explains why, when the ICO lets a recidivist data breacher such as the MOD off the hook, the message to all controllers is “don’t worry, this is all a fuss about nothing” (when it is palpably not).

Additionally, the ICO, by not serving an Enforcement Notice on the MOD, undermines the use of these Notices in future.  Any barrister representing a controller who is subject to enforcement after a data breach less serious than the MOD’s, can now argue:

“If the ICO does not enforce the data protection requirements with respect to MOD data breaches when lives are placed at risk, and where the MOD has exhibited recidivist data breach propensities, it is an abuse of power and unfair for the ICO to pick on my poor client and enforce an accidental one-off data breach, especially where there is no evidence of any damage”.

Alternative enforcement options

The ICO has also failed to suggest viable alternatives for Parliament to discuss, preferring his “let it be” policy.  For example:

• Should the failure to comply with an Enforcement Notice be a crime as well as a monetary penalty?  Under the DPA1998, a failure to comply with an Enforcement Notice was an offence (see S.47(2) of the DPA1998); senior managers of a body corporate colluding in such an offence could also face individual prosecution (see S.61 of the DPA1998).  In other words, fining Facebook peanuts (e.g. £10 million) is a waste of time but an arrest for an offence committed Mark Zutterburg (or his Meta directors), when they get off a flight at Heathrow, would be a different matter.
• Should there be an offence of deliberately breaching a data protection principle? Currently, members of staff who deliberately breach the data protection rules risk an offence under S.170 of the DPA2018. This contrasts with a controller or processor, who deliberately breaches the data protection rules; they likely risk – well, um er, ugh, perhaps, absolutely nothing –  thanks to the ICO’s “relaxed” enforcement policy.
• If offences were to exist, any ill-gotten gain for the controller committing this offence could be confiscated under the Proceeds of Crime Act 2002  (i.e. this could be a viable alternative to a monetary penalty).

Data Protection history

To properly understand how the current Commissioner has usurped the role of Parliament, one needs to step back into data protection history.

As is well known, the Blair Government experienced a series of embarrasing data breaches involving millions of UK data subjects (e.g. the HMRC child benefit data breach in 2007).  As a result, a Liberal Peer tabled an amendment to the Criminal Justice and Immigration Bill (it became an Act in 2008) that made a deliberate breach of a Data Protection Principle, by a controller, a criminal offence (see references).

For some reason, the Labour Whips in the Lords did not ensure a Government majority to defeat this amendment and it passed by four votes.  This meant that the then Labour Government, if it disagreed with this Lords amendment, could use its majority in the Commons to either vote down the amendment, or provide an alternative.

Given the range of data breaches that had occurred within Governmental Departments, and to avoid any Parliamentary hassle in the Commons, the Government opted for the latter.

Hence the emergence of a Government amendment that established the Monetary Penalty Notice (max fine £500,000).  This applied to all controllers (including the public sector). Monetary penalties applicable to all types of controller (public or private), of course, continued under the GDPR with the maximum fine much increased.

Note the public policy adopted by Parliament and Government is to have monetary penalties that apply to the public sector. This is augmented via Article 83(7) of the UK_GDPR which allows Member States to go their own way on public sector fines; no such amendment has been enacted.

Instead of this option being implemented by the UK Government (e.g. no public sector fines), this policy has been, in practice, implemented by the ICO.

In other words, if Parliament/Government wanted the ICO’s current enforcement policy, it could enacted legislation to permit this. It is not for the ICO to introduce, by administrative fiat, legislative options which are the preserve of Parliament and Government.

I have no doubt that Ministers tacitly support the ICO’s policy. For instance,  I am sure the Secretary of State at the MOD is “very content” about the non-enforcement of the latest Afghan data breach.

It is interesting to note that one of the first tasks of the new Commission will be to assess whether it agrees that the current policy surrounding public sector fines can continue without any involvement of Parliament.

Ministerial Bias

In general, how can Ministers have an impartial view on how data protection enforcement applies to their Department?

For example, the Secretary of State at the Home Office has promised a “Code of Practice” on the use of facial recognition CCTV by the police.  So if there were to be a conflict between policing and civil liberties over the Code’s wording, who would have the ear of the Home Secretary: the Chief Constables of Police or the Privacy NGOs such a Big Brother Watch?

I should add that this conflict of interest was first raised in the Lindop Report into data protection in 1978 (see references).  Its conclusions was that the text of any Code had to be determined by an independent Data Protection Authority and then submitted to Parliament for approval.  Ministers were excluded from the Code’s final text because they were conflicted.

In practice, Ministers can push through legislation (usually secondary legislation which is enacted with minimal scrutiny) that can destroy the delicate balance established by the Data Protection Principles.  If you look at, for instance, section 12(6) of the Children’s Act 2004, you will see that several Principles are under the control of the Secretary of State for Education (e.g. he/she defines what is accurate personal data, what is relevant content and what is securely processed personal data; see references).

This means that the lawful interpretation of the Principles can be established in accordance with the Minister’s Departmental preferences and not via Article 5 of the UK_GDPR.

Indeed, under DUAA, Ministers can, via secondary legislation, establish new exemptions from the UK_GDPR, specify that the processing for a particular purpose is a Recognised Legitimate Interest, state that any further processing in support of Departmental objectives is compatible with the purpose of obtaining, and permit any novel automated decision-making by AI techniques.

In summary, letting Ministers have powers over how data protection law applies to their Departmental processing is rather like allowing Count Dracula to determine who has access to the NHS Blood bank.  The ICO in this context should be considered as a “Bride of Dracula”.

Concluding comment

Finally, one does wonder whether the new Commission is truly independent if:

• it reports to a Government Department (currently DSIT),
• its Members are chosen by the Secretary of State of DSIT,
• its Chair is chosen by a panel chosen by the Secretary of State of DSIT, and
• Government has fettered the Commission’s discretion to enforce the data protection regime because of the requirement that processing is innovative,  impacts on the economy or on crime prevention (see Section 120B of DUAA).

In summary, given the above,  I naively thought the Commission needed a Non-Executive Member who:

• has the expertise to look out for data subject’s interests,
• can ask the awkward question, and
• can be trusted by privacy NGOs.

Unfortunately, this vision was not shared by the current powers that be.

Winter warming Data Protection Courses

In summary, the upcoming courses (details on this website) are:

• Data Protection Practitioner (5 days: Zoom and onsite): 2– 6 February 2026
• Data Protection Foundation (3 days: Zoom and onsite): March 24-26 2026
• Data (Use and Access) Act Workshop (1 day: Zoom only) and Thursday, January 22 2026

References

Open Rights Group letter saying the ICO is more or less useless: https://cloud.openrightsgroup.org/nextcloud/s/JkpjfkJRc3dKTY7?dir=/&editing=false&openfile=true

Parliamentary Debates about the Penalty Notice introduced via the Criminal Justice and Immigration Act 2008:

• Breach of a Principle is an offence: Lords Hansard, Column 1536, 23 April 2008: https://hansard.parliament.uk/lords/2008-04-23/debates/08042355000007/CriminalJusticeAndImmigrationBill
• The replacement of the above offence with a Monetary Penalty Notice: Commons Hansard, Tuesday 6 May 2008: Column 629, https://hansard.parliament.uk/Commons/2008-05-06/debates/0805068000001/CriminalJusticeAndImmigrationBill

Section 12(6) of the Children’s Act 2004 (Principles under the control of Ministers): https://www.legislation.gov.uk/ukpga/2004/31/section/12

Identity assurance principles for building identity services in government (not for the Governments e-ID scheme)  on https://www.gov.uk/government/publications/identity-assurance-principles-for-identity-services-in-government/identity-assurance-principles-for-building-identity-services-in-government

DPA1998 offences not in the DPA2018: https://www.legislation.gov.uk/ukpga/1998/29/contents/enacted

Report of the Committee on Data Protection (chair Sir Norman Lindop), Cmnd 7341, 1978