On 28 June 2016, the UK Information Commissioner’s Office (ICO) launched its annual report, containing details of its activities and financial statements between April 2015 and March 2016. It is Christopher Graham’s last annual report before he hands over to Elizabeth Denham as the new Information Commissioner this summer.
Some statistics on caseloads and enforcement action in the areas of data protection, privacy and electronic communications (including direct marketing), and freedom of information are set out below.
Amongst many other activities, the report highlights the ICO’s response to the unexpected, including big data breaches such as at Talk Talk, newspaper allegations about charity fundraising methods, the debate on surveillance and the Investigatory Powers Bill, and the Schrems judgement (which meant the US Safe Harbor scheme could not longer be relied upon for data transfers to the US).
During the year, the ICO also took on responsibility for handling complaints under the Re-use of Public Sector Information Regulations 2015, and issued guidance on this law.
The ICO also launched an online self-assessment toolkit, aimed at SMEs, to assist businesses in assessing their compliance with data protection law.
In relation to the new EU General Data Protection Regulation, the ICO has been preparing for the new framework which is to take effect from 25 May 2018. However, hot off the press, it is also considering the impact of the EU referendum. In a separate press release (on 24 June 2016), the ICO underlines the importance of the UK achieving “adequacy” under EU laws, which means that UK law would still need to meet standards equivalent to the new Regulation, even if we do leave the EU.
The full report is available at www.ico.org.uk.
The ICO received 204,700 calls to its helpline over the course of the year, which is similar to last year’s figure. 80% of the calls related to data protection, 15% to privacy and electronic communications, and 4% to freedom of information.
The ICO issued civil monetary penalties of over £2.5m for breaches of the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications Regulations 2003 (PECR). Over £2 million of these fines related to unlawful direct marketing activities. This followed a change in the law last year making it easier for the ICO to impose monetary penalties under PECR (removing the requirement for “substantial damage or distress”).
Eight enforcement notices were served during the year. Seven of these related to DPA compliance and one related to compliance with the Freedom of Information Act 2000 (FOIA). One of them was to require Google Inc. to remove nine search results about an individual under the “right to be forgotten”. Many more cases resulted in written undertakings.
The ICO secured 14 criminal convictions for unlawful obtaining of personal data, failing to register with the ICO, and failing to respond to an information notice. In addition three cautions were issued. These included the ICO’s first caution for a criminal breach of section 56 of the DPA on enforced subject access, and two for section 55 offences (unlawful obtaining or disclosure of data).
The ICO undertook 35 audits, 17 information risk reviews, 36 follow-up audits and 77 advisory visits of/to organisations during the course of the year.
The ICO received 16,388 data protection complaints. This is an increase of over 2,000 or 15% from last year. Over 90% of cases were concluded within three months. Of complaint casework finished (15,718), 34.9% resulted in the data controller needing to take no action, and 20.8% resulted in action being required of the data controller. Other outcomes included concerns being raised with or advice being given to the data controller. These figures are similar to the outcomes last year.
42% of the complaints were about subject access requests, slightly down on the previous year, but this remains the most common issue for data protection complaints. Disclosure of data, inaccurate data and security remain other common areas. 6% related to rights to prevent processing, 2% up on last year. The top sectors giving rise to complaints were health, general business, local government and lenders. Following them were internet, policing and criminal, central government, education, telecoms and retail.
More than 370 people sought the ICO’s help after search engines refused to remove results about them under the “right to be forgotten”. This appears to be about three times as many as last year, which probably contributed to the increase in complaints relating to rights to prevent processing (see above). About a third of the requests related to criminal convictions. In a third of the cases the ICO required the search engines to remove results.
The ICO received 161,190 reports of concerns under PECR (including unsolicited marketing communications) over the course of the year (a decrease of about 20,000 from last year). In relation to telesales and spam texts, a pie chart indicates that calls with a recorded voice generated the most complaints (at 45%), followed by live calls (44%) and then spam texts (11%). As with last year, it is unclear how email (and fax) marketing concerns fit into the picture.
210 complaints about cookies were received – up 46 from last year.
There were 1,954 self reported incidents under the DPA. This is an increase of about 300 or 17.2% from last year, and 46% were in the health sector. There were 613 self reported incidents under PECR. This is a huge increase from last year of 328 or 115%.
The ICO received 5,181 complaints about freedom of information, an increase of about 200 from last year. 5,068 cases were closed (a similar number to last year); just under 70% within three months. 40% of the cases were about local government, 17% about central government, 16% about police and criminal justice, 10% about the health sector and 7% about the education sector. Identically to last year, in 24% of the cases the complaint was upheld, and in 62% the complaint was not upheld (with the remainder being partially upheld). As with last year, a lot of complaints (27%) were made too early before internal reviews by the relevant public authorities had been completed.
Olivia Whitcroft, principal of OBEP, 29 June 2016
This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details