ICO publishes Annual Report 2013/2014

On 15 July 2014, the ICO launched its annual report, containing details of its activities and financial statements between April 2013 and March 2014. This year’s report is entitled ‘Effective, efficient – and busier than ever’.

Over the year, the ICO has been handled a more complaints and queries, and concluded more enforcement action than ever before. The ICO indicates that it has been using intelligence from customer contacts to identify priorities for regulatory action, and is seeking to work with other regulatory authorities to secure the biggest impact.

Some statistics on caseloads and enforcement action in the areas of data protection, privacy and electronic communications, and freedom of information are set out below.

Amongst many other activities, the report highlights the ICO’s guidance documents for social networking, direct marketing and mobile phone apps, and its new codes of practice for subject access requests and privacy impact assessments. It also comments on data protection issues associated with care.data, student loans, online dating services, Midata, and internet-connected televisions.

In relation to the proposed new EU Data Protection Regulation, the ICO comments that it is expected that it will take at least a further year to finalise the legislation, with two years after that for implementation of any new legal framework. As readers will be aware, this process is taking significantly longer than the timelines originally envisaged.

The full report is available at www.ico.org.uk.

Enforcement and caseloads – some statistics

The ICO received just under 260,000 calls to its helpline over the course of the year, and just under 12,000 written enquiries.

The ICO issued civil monetary penalties of £1.97 million (or £1.5 million following reductions) for breach of data protection or direct marketing requirements. This total figure is significantly down from last year (by over £1 million) – this seems to be a combination of a lower number of penalties (18 have been published on the ICO’s website rather than 23 from the year before) and more penalties at the lower rather than higher end of the permitted amount (the maximum is £500,000). In addition, just under £600k was cancelled or repaid on appeal. The ICO also issued seven enforcement notices and 27 undertakings (although these statistics don’t quite seem to tally with those separately published on the ICO’s website) relating to data protection and marketing matters. It undertook 63 audits on and 117 advisory visits to organisations. It secured 12 criminal convictions for unlawful obtaining or disclosing of personal data.

The ICO received 14,738 data protection complaints (as with last year, this is an increase of almost 1,000 from the previous year). Of complaint casework finished (15,492), 35% resulted in an assessment that compliance was unlikely, i.e. there was a likely breach of data protection requirements by the data controller. This percentage was similar last year.

Half of the complaints were about subject access requests, slightly up on last year, and this remains the most common issue for data protection complaints. Disclosure of data, inaccurate data and security were also common areas.

The ICO received over 160,000 reports of concerns about unsolicited marketing calls and texts over the course of the year. The majority related to PPI and claims management, debt management and green energy deals. Under 300 complaints about cookies were received – fewer than last year when the law had just changed in this area. Automated calls generated the most complaints (at 45.7%), followed by live calls and then spam texts (although it is unclear whether other forms of electronic mail are included within this statistic).

Communications providers (who are required to report breaches of security relating to the communications service within 24 hours) reported 260 security breaches to the ICO. The report does not comment on the extent of voluntary breach reporting in other sectors (although the ICO separately publishes some trends on these on its website). The ICO itself had one ‘non-trivial’ personal data security incident.

The freedom of information caseload was up almost 10% on last year with 5,151 complaints received. 43% were about local government, 23% about central government, with the health sector, police & criminal justice and education receiving fewer complaints. 1261 decision notices were issued. In 25% of the cases the complaint was upheld, and in 61% the complaint was not upheld (with the remainder being partially upheld). As with last year, a lot of complaints (39%) were made too early before internal reviews by the relevant public authorities have been completed.

Olivia Whitcroft, principal of OBEP, 15 July 2014

This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details