The government's privacy watchdog, the Information Commissioner's Office (ICO), has admitted that it does not have enough funding to meet its obligations or the expectations of its stakeholders, and may fail to achieve its objectives by 2015 if funding streams have not been assured by then.
In its latest risk register, which was published in October 2012 and released in response to a Freedom of Information request via the 'What Do They Know' website, the ICO foresees a situation where it “has to scale back what it wants to do and fails to deliver an acceptable level of service”.
The ICO has introduced some measures to mitigate the risk, such as advising the government that it needs extra resources, and liaising with Operations, Strategic Liaison and Policy Delivery on work load issues. But even with these measures in place, the risk is still deemed to be “high”.
As a result, the organisation is implementing a number of future mitigating actions, such as balancing resources and exploring an alternative funding model. It is also contributing to the debate on the new EU data protection regime and the UK's Communications Data Bill (a.k.a. the Snooper's Charter), to highlight the cost of implementation.
The ICO declined to comment on the risk register. However, the report states that the funding shortfall could affect its ability to spot developments, respond to risks, and engage with stakeholders to present the information rights perspective.
Commenting on the news, Stephen Midgley, vice president of global marketing at Absolute Software, warned that if governmental bodies like the ICO don’t have the proper funding, the UK may end up fighting a losing battle against cybercrime.
“It sends the wrong message to businesses, that whilst noises are made about the importance of data protection, the resources simply aren't there to act on breaches,” he said.
“Our government needs to face up to the threats of the cyber world and work with organisations like the ICO to act against data breaches and enforce fines on those who do not respect the dangers that come with living in a digital world.”
Other issues identified in the ICO's risk register include changes to information rights regulation, which have led to a period of uncertainty for the ICO, and an increase in casework at a time of reducing FOI resources, resulting in falling service standards and errors.
“The ICO’s reputation suffers and, as a result, the ICO loses influence with major stakeholders,” the report states. “Reputation problems may arise from either external events or internal process failures (eg. a failure in the ICO’s compliance with the legislation it regulates).”
The organisation stated that there is currently a 21-50 percent chance that it will not be able to implement its IT strategy smoothly. However, after further mitigating actions, including updating its accounting software and re-procuring IT managed services, this risk will drop to 6-20 percent.
The privacy watchdog is often criticised for being toothless, but in recent months it has dished out a number of fines to organisations that were found to be in breach of the Data Protection Act. Most recently, it imposed a monetary penalty of £100,000 after the discovery of a large number of patient records at a site formerly owned by Stockport Primary Care Trust.
Last month, a report commissioned by the ICO revealed a clear lack of understanding across business around the proposed EU data reforms. According to the report, 40 percent of companies don’t fully understand the ten main provisions being proposed, and 87 percent are unable to estimate likely costs of draft proposals to their business.