ICO publishes Annual Report 2016/2017

On 13 July 2017, the UK Information Commissioner’s Office (ICO) launched its annual report, containing details of its activities and financial statements between April 2016 and March 2017. It is Elizabeth Denham’s first annual report as the Information Commissioner.

Some statistics on caseloads and enforcement action in the areas of data protection, privacy and electronic communications (including direct marketing), and freedom of information are set out below.

The ICO has started publishing guidance on the General Data Protection Regulation (GDPR) which comes into force in May 2018. It is also contributing to guidance being produced by the EU Article 29 Working Party. See OBEP’s article: GDPR guidance: What do we have so far?. The ICO has also contributed to the Article 29 Working Party Opinion on the proposed new EU ePrivacy Regulation.

The ICO highlights its activities promoting better compliance in the charity sector. It issued 13 civil monetary penalties to charities, using discretion to set a reduced level of penalty to encourage better practice while not unduly distressing donors. It also held 17 compliance meetings with other charities and two call centres about compliance with the DPA and PECR. It also held a charity fundraising conference in February 2017 together with the Charity Commission and the Fundraising Regulator.

The ICO has also launched a new Information Rights Strategic Plan for the next four years (to 2021).

The full report is available at www.ico.org.uk.

Enforcement and caseloads – some statistics

The ICO received 189,042 calls to its helpline over the course of the year, which is about 15,000 or 7.2% down on last year’s figure. 78% of the calls related to data protection, 14% to privacy and electronic communications, 6% to freedom of information and 2% were hybrid.

The ICO issued 23 civil monetary penalties totalling over £1.9m for unlawful direct marketing activities in breach of the Privacy and Electronic Communications Regulations 2003 (PECR) – the most in a year yet. It issued 16 civil monetary penalties totalling over £1.6m for serious breaches of the Data Protection Act 1998 (DPA), including the largest to date of £400k issued to Talk Talk.

The report does not seem to provide statistics on enforcement notices, though the enforcement section of its website would indicate 17 enforcement notices were served during the year relating to data protection compliance.

The ICO secured 21 criminal convictions for unlawful obtaining of personal data, failing to register with the ICO, and failing to respond to an information notice. In addition five cautions were issued for section 55 offences (unlawful obtaining or disclosure of data).

The ICO undertook 35 audits, 22 information risk reviews, 23 follow-up audits and 58 advisory visits of/to organisations during the course of the year.

The ICO received 18,354 data protection complaints. This is an increase of just under 2,000 or 12% from last year. 90% were concluded within 90 days and 98% within 180 days. Of complaint casework finished (17,335), 33.4% resulted in the data controller needing to take no action, and 20.3% resulted in action being required of the data controller. Other outcomes included concerns being raised with or advice being given to the data controller. These figures are similar to the outcomes last year.

42% of the complaints were about subject access requests, the same percentage as the previous year, and this remains the most common issue for data protection complaints. Disclosure of data, inaccurate data, security and the right to prevent processing remain other common areas. The top sectors giving rise to complaints were general business, health, local government and lenders (the same as last year). Following them were central government, policing and criminal, education, telecoms, internet and "other individuals".

More than 300 people sought the ICO’s help after search engines refused to remove results about them under the “right to be forgotten”. In a third of the cases the ICO required the search engines to remove results.

The ICO dealt with over 600 concerns about the use of domestic CCTV cameras (which generally related to neighbour disputes or alleged harassment).

The ICO received 167,018 reports of concerns under PECR (including unsolicited marketing communications) over the course of the year (an increase of about 6,000 or 3.6% from last year). In relation to telesales and spam texts, a pie chart indicates that calls with a recorded voice generated the most complaints (at 49%), followed by live calls (40%) and then spam texts (11%). As with last year, it is unclear how email (and fax) marketing concerns fit into the picture.

195 complaints about cookies were received – down 15 from last year.

There were 2,565 self reported incidents under the DPA. This is an increase of about 600 or 31.5% from last year, and 41% were in the health sector. There were 1,005 self reported incidents under PECR. As with last year, this is a big increase on the previous year of about 400 or 63.9%.

The ICO received 5,433 complaints about freedom of information, an increase of about 250 or 4.9% from last year. 5,173 cases were closed (a similar number to last year); 66% were concluded within 90 days and 89% within 180 days. 39% of the cases were about local government, 17% about central government, 14% about police and criminal justice, 12% about the health sector and 8% about the education sector. Similarly to last year, in 24.3% of the cases the complaint was upheld, and in 59.2% the complaint was not upheld (with the remainder being partially upheld). As with last year, a lot of complaints (30%) were made too early before internal reviews by the relevant public authorities had been completed.

Olivia Whitcroft, principal of OBEP, 13 July 2017

This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details