ICO publishes Annual Report 2017/2018

On 20 July 2018, the UK Information Commissioner’s Office (ICO) published its annual report, containing details of its activities and financial statements between April 2017 and March 2018. It is Elizabeth Denham’s second annual report as the Information Commissioner.

Activities include:

• Continuing to produce guidance on the GDPR and contributing to the EU Article 29 Working Party (now the European Data Protection Board) Guidelines.
• Preparing specific GDPR guidance and a setting up a dedicated helpline for SMEs.
• Advice to the Government during the passage of the Data Protection Act 2018.
• Preparations to ensure the ICO’s own internal processes take account of the GDPR.
• Investigation into the use of personal data and analytics for political campaigns (including by Facebook and Cambridge Analytica).
• "Your Data Matters" campaign to assist organisations in informing their customer base of their data rights.
• Assisting to reduce the retention period of automatic number plate recognition records obtained by the police.
• Participating in the global information rights community, including leading Privacy Enforcement and Unsolicited Communications Network Sweeps, examining (respectively) the level of control users have over personal information for websites and apps, and examining affiliate marketing on websites.
• Integrating the Telephone Preference Service complaint reporting system into the ICO’s reporting systems.

The ICO has also had increased regulatory casework during the year in investigating and addressing queries and concerns. Some statistics on caseloads and enforcement action in the areas of data protection, privacy and electronic communications (including direct marketing), and freedom of information are set out below. Note that enforcement action covered by the report relates to matters prior to the GDPR applying, and therefore data protection enforcement is under the Data Protection Act 1998 (DPA 1998).

The full report is available at www.ico.org.uk.

Enforcement and caseloads – some statistics

The ICO received 235,672 calls to its helpline over the course of the year, which is up over 24% from last year (and a significant number were following the introduction of a new phone service for SMEs to prepare for the GDPR). There were also 30,469 live chat requests (up 61.5% from last year) and 17,586 requests for written advice (up 40% from last year). 85% of enquiries related to data protection, 9% to privacy and electronic communications, 4% to freedom of information, and 2% were hybrid. Approximately 68% were from members of the public and 32% from those regulated by the ICO.

The ICO issued the largest number and amount of civil monetary penalties to date. This included 26 civil monetary penalties totalling £3,280k for unlawful direct marketing activities in breach of the Privacy and Electronic Communications Regulations 2003 (PECR). It issued 11 civil monetary penalties totalling £1,290k for serious breaches of the DPA 1998.

These monetary penalties include:

• the joint largest penalty to date of £400k against Carphone Warehouse following a cyber-attack. Note: The ICO has since issued a notice of intent to issue a penalty of £500k against Facebook;
• Another £400k penalty against Keurboom Communications for making nearly 100 million unlawful marketing calls;
• 11 monetary penalties against charities for unlawfully processing donors’ personal data; and
• two monetary penalties against data-broking organisations in connection with nuisance calls and messages.

10 enforcement notices were issued in relation to direct marketing matters, and 14 preliminary enforcement notices and six enforcement notices were issues in relation to subject access requests.

The ICO secured 18 criminal convictions for unlawful obtaining of personal data, failing to register with the ICO, and failing to respond to an information notice. In addition six cautions were issued for other section 55 offences (unlawful obtaining or disclosure of data). There were criminal investigations in the auto-motive repair industry and into corporate clients tasking private investigators to unlawfully obtain personal data (the latter of which resulted in £185k in fines).

The ICO undertook 26 audits (18 relating to data protection and eight to PECR), 43 information risk reviews (focussed in higher education sector and breach reporting in local and central government), 24 follow-up audits and 56 SME advisory visits of/to organisations during the course of the year.

The ICO received 21,019 data protection complaints. This is an increase of over 2,500 or 14.5% from last year. 88% were concluded within 90 days. Of complaint casework finished (21,346 – indicating some rolled over from the previous year), 31.6% resulted in the data controller needing to take no action, and 16.9% resulted in action being required of the data controller. Other outcomes included concerns being raised with or advice being given to the data controller. These figures are broadly similar to the outcomes last year.

39% of the complaints were about subject access requests, and this remains the most common issue for data protection complaints. Disclosure of data, inaccurate data, the right to prevent processing and security remain other common areas. Figures on concerns about requests to be removed from search engine results do not appear to be separately specified this year. The top sectors giving rise to complaints were general business, health, local government and lenders (the same as last year). Following them were policing and criminal, central government, education, "other individuals", internet and telecoms.

The ICO received 109,481 reports of concerns under PECR (including unsolicited marketing communications) over the course of the year (a significant decrease of about 57,500 or 34.4% from last year). In relation to telesales and spam texts, a pie chart indicates that calls where the recipient spoke with a person generated the most complaints (at 49%), followed by recorded voice calls (38%) and then spam texts (13%). As with last year, it is unclear how email (and fax) marketing concerns fit into the picture.

147 complaints about cookies were received – down 48 from last year.

There were 3,311 self-reported incidents under the DPA 1998 (although the summary to the report has a slightly lower number of 3,156). This is an increase of 29% from last year, and 361 related to cyber incidents. The health industry continued to report the largest number of breaches. Self-reported incidents under PECR (for the communications sector) do not appear to be specified. Note: There are also reports of increased self-reporting since the GDPR applied in May 2018.

The ICO received 5,705 complaints about freedom of information, an increase of about 300 or 5% from last year. 5,784 cases were closed and 66% were concluded within 90 days. 41% of the cases were about local government, 15% about central government, 17% about police and criminal justice, 10% about the health sector and 9% about the education sector. In 30% of the cases the complaint was upheld, and in 53% the complaint was not upheld (with the remainder being partially upheld). As with last year, a lot of complaints (33%) were made too early before internal reviews by the relevant public authorities had been completed.

There were 284 appeals to the Information Rights Tribunal, and only (just under) 30% of appeals finished during the year were allowed or part allowed.

The report also contains statistics on information requests made to the ICO (under data protection and freedom of information laws. 1,509 requests in total were made over the year.

Olivia Whitcroft, principal of OBEP, 1 August 2018

This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details