It has been a tough month for the Information Commissioner's Office, as the UK's data protection watchdog found itself in the firing line during the Leveson inquiry into press standards.
The inquiry heard evidence from Alexander Owens, a former police officer who had been hired by the ICO in 2003 to investigate the illegal trade in stolen personal data. Owens' investigation, Operation Motorman, discovered evidence that various newspaper journalists had bought data illegally obtained from government employees.
Owens said that he had compiled enough evidence to prosecute everyone in involved in the supply chain of stolen data, including journalists. But he alleged that the deputy ICO at the time had said: "We can’t take the press on; they are too big for us".
This was grist to the mill of the ICO's critics, who argue that the while it regularly fines local authorities, often after they have confessed to data breaches themselves, it shirks from going after bigger, more powerful targets.
Richard Thomas, the Information Commissioner at the time of Operation Motorman, gave evidence in the inquiry a week later. "Thanks goodness we did not prosecute the journalists," he said. "The impact for the office would have been very, very demanding indeed."
The ICO is undoubtedly in a difficult position. So great is the potential for technology to abuse or misuse personal data that it is difficult to imagine the ICO ever having enough resources to address the problem fully. It always has to take a view on whether a case is worth pursuing given the resources it has available.
But there are nevertheless occasions when one might hope for a little more bite from the ICO.
For example, as the Leveson inquiry was going on, a story quietly broke of a woman whose credit rating was damaged by a glitch in Barclay's Bank's credit checking software. This lead to her mortgage application being turned down – an example of how data management blunders by large institutions can have potentially devastating effects on people's lives.
Having investigated the case, the ICO gave the following statement: "We decided that it is unlikely that [Barclays] has complied with the requirements of the DPA … because it appears unlikely that Barclays has processed the complainant’s personal data fairly. However, the Information Commissioner has decided that further regulatory action is not appropriate at this time.”
There may be more to the story. But these do not sound like the words of a regulator that is likely to take on the country’s most powerful organisations, the very organisations whose abuses of data can be the most damaging.