ICO publishes Annual Report 2014/2015

On 2 July 2015, the UK Information Commissioner’s Office (ICO) launched its annual report, containing details of its activities and financial statements between April 2014 and March 2015. The press release accompanying the report declared ‘Privacy and Openness: Making a reality of Information Rights’.

The year marked 30 years since the establishment of the first Data Protection Registrar and 10 years of the full operation of the Freedom of Information Act.

Some statistics on caseloads and enforcement action in the areas of data protection, privacy and electronic communications, and freedom of information are set out below.

Amongst many other activities, the report highlights the revised code of practice on CCTV and surveillance, the ICO’s guidance documents on Big Data and data protection for the media, the bringing into force the offence of enforced subject access, and the extension of its compulsory audit powers to cover NHS bodies.

The ICO has tackled a record number of complaints relating to nuisance calls and text spammers, linking up with other regulators to co-ordinate effective enforcement. The enhanced monetary penalty power, removing the requirement for “substantial damage or distress”, should assist enforcement even more. Note: this was effective from 6 April 2015, after the end of the year covered by this Annual Report.

In relation to the proposed new EU Data Protection Regulation, the ICO comments that it is not now expected that the legislation will be agreed until at least 2016 (four years since it was initially proposed in February 2012).

Also of note are the ICO’s submissions in a Court of Appeal civil case between Google and Vidal-Hall (and others). The ICO successfully argued that browser generated information such as IP addresses, when used to target advertisements, was personal data under the DPA, and that compensation under the DPA could be awarded for non-financial damage.

The full report is available at www.ico.org.uk.

Enforcement and caseloads – some statistics

The ICO received about 205,000 calls to its helpline over the course of the year. This is fewer than last year, which the ICO says is because more people got the information which they wanted in one call. The ICO also handled about 11,500 written enquiries (11% of which related to rights to access data).

The ICO issued civil monetary penalties of £692,500 for data loss incidents, and £386,000 for marketing calls and texts. Eight enforcement notices for data loss, and three for direct marketing, were also issued (and many more cases resulted in written undertakings). The ICO undertook 41 audits, 17 information risk reviews and 56 follow up audits of organisations during the course of the year. It secured 10 criminal convictions for unlawful obtaining or disclosing of personal data. Other prosecutions were made against organisations and directors for failing to register with the ICO.

The ICO received 14,268 data protection complaints. This is a slight decrease from last year, which the ICO says is partly due to reducing the number of ineligible concerns. Of complaint casework finished (15,052), 35% resulted in the data controller needing to take no action, and 22% resulted in action being required of the data controller. Others outcomes included concerns being raised with or advice being given to the data controller. These figures were broken down slightly differently last year, so it is difficult to make a comparison. The statistics appear to indicate that a lower percentage of organisations were found non-compliant this year, though it may have been because a lot of organisations were already taking steps to address aspects of non-compliance (so no further action was needed).

Half of the complaints were about subject access requests, slightly down on the previous year, and this remains the most common issue for data protection complaints. Disclosure of data, inaccurate data and security remained other common areas. Following the EU Google judgment in May 2014 relating to the removal of Internet search links, the ICO has handled 120 complaints on this topic.

The ICO received over 180,188 reports of concerns about unsolicited marketing calls and texts over the course of the year (an 11% increase on last year). The majority related to boilers, accident claims, solar panels and PPI. The statistics in this area are a bit confusing. As with last year, it is unclear how email (and fax) marketing concerns fit into the picture. Also, whilst a pie chart indicates that calls with a recorded voice generated the most complaints (at 45%), followed by live calls (42%) and then spam texts (13%), a later comment in the report indicates that live calls generate more concerns than automated calls or spam.

Fewer than 164 complaints about cookies were received – even fewer than last year. The ICO has separately indicated that it maintains a consumer threat of ‘low’ in the area of cookies, although an EU cookie sweep in September 2014 revealed significant areas for improvement.

Communications providers (who are required to report breaches of security relating to the communications service within 24 hours) reported 285 security breaches to the ICO. The ICO also received 1,677 self-reported data loss incidents across all sectors. 439 of these were from the health sector, 125 from local government, and education, ‘general business’ and legal sectors also featured high on the list.

The ICO received 4,981 complaints about freedom of information and environmental information (slightly down from last year). 46% were about local government, 18% about central government, with (as last year) the health sector, police & criminal justice and education receiving fewer complaints. 1,305 decision notices were issued (slightly up on last year). Similar to last year, in 24% of the cases the complaint was upheld, and in 62% the complaint was not upheld (with the remainder being partially upheld). As with last year, a lot of complaints (31%) were made too early before internal reviews by the relevant public authorities had been completed.

Olivia Whitcroft, principal of OBEP, 3 July 2015

This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details