Exclusive: UK firms seek to limit ICO powers in data protection shake-up

Leading UK firms and organisations have expressed concern with the Information Commissioner's Office (ICO) having too much power to audit data, according to documents seen by V3.

As the ICO continues to push the Ministry of Justice (MoJ) for extended powers to check up on organisations' data handling processes, a group of private sector firms voiced their concern at this development during a wider debate on UK data protection law.

The concerns were raised during a three-hour meeting with the MoJ at the end of 2012 to discuss reforms to the UK's national data protection regulation and debate how the UK should adopt new, tighter data protection regulation currently being put forward by the EU.

As part of this discussion, the group debated whether the ICO should be given power to spot check private sector firms. Such proposals relate to articles 46-79 of the proposed EU Regulation.

"Concerns were raised about the ICO's powers and the group agreed that a power of entry should only be granted with a warrant, applied for an approved by a court," said the meeting's minutes, seen by V3.

"If this is not accepted then more checks and balances on the ICO's powers were needed and these should be included in the Regulation."

This discussion on the extension of ICO powers was part of a break-out session, attended by only some firms in the group. The ICO confirmed to V3 that it was not present in this discussion.

The overall meeting consisted of over 20 businesses, many of them from the tech sector, including Facebook, Symantec, Microsoft, Yahoo, BT and IBM, as well as large retail organisations renowned for collecting large amounts of customer data, such as Tesco and Experian.

All of the tech businesses have been since contacted by V3 for comment. Microsoft and Symantec have declined to comment, while Facebook, IBM and BT have yet to respond, and Yahoo has told V3 it was not part of the particular session.

More than 10 other organisations attended the meeting, including charities such as Cancer Research and lobby groups, such as Liberty and the Open Rights Group, as well as the ICO.

In October last year, information commissioner Christopher Graham said compulsory data audit powers were needed to cover local government, the health service and the private sector to ensure compliance with the law.

An ICO spokesman reiterated such calls in a conversation with V3. "We are calling now for the extension of compulsory audit powers, particularly to local government and the NHS," he said.

"We've got no plans to try and extend spot checks to businesses but this is not to say we won't look at doing this in the future."