By Thomas Kinsella, referring to the findings of Professor David Erdos in Inforrm.

‍

The Information Commissioner’s Office (“ICO”) is the UK’s data protection authority and regulator.  Its job is to ensure that our data rights – as citizens – are being protected.

Unfortunately, the ICO has a history of failing to properly hold newspapers to account in their use (and misuse) of personal data.  For example, the ICO was heavily criticised in the Leveson Report after it failed to pursue journalists in connection with revelations that Private Investigators associated with the press had been in possession of an enormous amount of personal data back in 2003.

Had the ICO pursued that investigation properly, phone hacking may have been exposed (and ended) much sooner.

Regrettably, a recent report suggests that lessons have not been learned.

In 2024, the ICO released its first statutory review of journalism’s compliance with data protection laws under the framework established by the Data Protection Act 2018. It was supposed to be the first ‘robust and comprehensive’ review of journalism’s compliance with data protection law and good practice.

Data protection expert Professor David Erdos has written about the review in great detail for Inforrm (and also the UK Constitutional Law Blog), and has uncovered a number of failings in the process.

It is first worth noting that this review was submitted to the Secretary of State in January 2024 and to Parliament in March. However, the ICO chose not to publicise the Report in any way, which led to it not being discovered for several months. Erdos points out the stark contrast between this and the ‘blaze of publicity’ the Leveson Inquiry received.

Once discovered, the 34-page report, which was the product of an 18-month review process, was not obviously the ‘robust and comprehensive’ review that had been promised.

In particular:

• The ICO failed to use its statutory powers during the review. Under the Data Protection Act 2018, it had the power to ‘compel the provision of relevant information with only 24 hours’ notice (para. 2) and even to assess activity on-site through assessment notices (para. 3).’. However, throughout the 18-month review, ICO chose to never use these special powers and instead chose to use their own weak data, limited publicly available information and surveys filled out by a fewer than a dozen respondents to inform their findings. Each of these methods were themselves flawed.
• The ICO analysed its own complaints data and confirmed that it had received 488 journalism-related complaints between 1 February 2020 and 24 March 2022 and had taken no enforcement action related to the entire four-year review period. ICO stated these complaints represented just 0.7% of the overall complaints they receive, however, with no further information on the nature of these complaints and to what extent they were investigated, this single page section of the review fails to inspire much confidence.
• The second source of information was publicly available statistics and resolution reports from various press regulators, including OFCOM, IPSO and Impress. Regarding IPSO, ICO looked only at complaints that were actually investigated by IPSO, which was a mere 0.92% of total complaints in 2022.  The vast majority of IPSO complaints do not reach the stage of adjudication for various reasons; the body has, after all, been criticised as having process which deter complainants from pursuing their concerns. Moreover, as Erdos highlights, no effort to check the detail of IPSO’s rulings was made.
• Finally, ICO used survey results to support their findings. The surveys were conducted by ICO and answered by 11 people (one of these being Erdos himself). Respondents were advised to spend ‘no more than 10 to 15 minutes’ on their answers. Even the ICO itself acknowledged that they were “limited in the extent to which we can draw any firm conclusions, analyse, interpret and use the responses”. The section analysing the survey responses was the longest in the report.

The report concluded that the ICO had found ‘‘no evidence of widespread poor data protection practices or non-compliance with data protection legislation in journalism’ and ‘‘[o]n the basis of the information received we are unable for[m] a view that “journalism” is meeting its legal obligations or have established good data protection practices across journalism’.

The ICO perhaps needs a reminder that this review was established following widescale data breaches across the industry.  Not only that, but that those breaches were hidden and covered up for many years. The idea that we could glean anything from the fact that the ICO glanced through the industry’s own figures and ran a short survey is absurd.

The fact it had the powers to investigate further but failed to do so points to a significant failure at the ICO.

As Erdos finds, ‘it is impossible to avoid the conclusion that an important statutory duty was far from fully carried out.’

Professor Erdos’ full piece is highly recommended and can be read here on Inforrm.

‍