ICO publishes Annual Report 2018/2019

On 9 July 2019, the UK Information Commissioner’s Office (ICO) published its annual report, containing details of its activities and financial statements between April 2018 and March 2019. It is Elizabeth Denham’s third annual report as the Information Commissioner.

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018) started to apply during the year (in May 2018), which meant big changes to the law and to the ICO’s enforcement powers. The ICO reports that record numbers of people raised data protection concerns – double the number to those received the previous year. The ICO provided GDPR guidance and assistance, and started to use its new powers of inspection under the GDPR.

The ICO also continued its work in taking enforcement action under the previous Data Protection Act 1998 (in relation to activities or incidents taking place prior to May 2018) and the Privacy and Electronic Communications Regulations 2003 (PECR). This included investigation into the use of data analytics for political purposes, and record-breaking monetary penalties of £500k each imposed on Equifax and Facebook.

So it seems a lot of records have been broken in the year, though I suspect with the recent notices of intention to fine British Airways and Marriott over £183m and £99m (respectively), the current year may be pretty record-breaking too.

The full annual report is available at www.ico.org.uk.

Enforcement and caseloads – some statistics

The ICO received 411,656 calls to its helpline over the course of the year, which is an increase of 75% from last year. There were also 34,447 live chat requests (up 13% from last year) and 25,121 requests for written advice (up 43% from last year).

The ICO continued to issue a substantial number of civil monetary penalties. This included 23 civil monetary penalties totalling £2,053,000 for unlawful direct marketing activities in breach of PECR. It issued 22 civil monetary penalties totalling £3,010,610 for serious breaches of the Data Protection Act 1998. Note: These were not yet made under the GDPR, as they related to activities which pre-dated the GDPR.

These monetary penalties include:

  • £500,000 issued to Equifax Ltd, relating to a cyber security incident which affected the personal data of up to 15m UK citizens and residents;
  • £500,000 issued to Facebook Ireland Ltd, relating to a serious data incident affecting the personal data of an estimated 87m Facebook users worldwide (see also OBEP’s article on this);
  • £385,000 fine issued to Uber, relating to a cyber security incident affecting the personal data of 2.7m UK Uber users and 82,000 UK Uber drivers; and
  • £325,000 issued to the Crown Prosecution Service, for losing unencrypted DVDs containing records of police interviews; and
  • £250,000 issued to Yahoo! UK Services Ltd, relating to a cyber security incident affecting the personal data of approximately 500m Yahoo! users worldwide.

The ICO also issued enforcement notices, though the total number in the year does not appear to be specified in the report (but details of enforcement notices are available in the ‘Enforcement Action’ section of the ICO’s website). They included the first enforcement notice under the Data Protection Act 2018 to Aggregate IQ, a Canadian data broker, requiring it to delete certain personal data it held about UK citizens and residents (see also OBEP’s article on this). The ICO also issued warnings and reprimands and 11 information notices.

The report does not appear to refer to criminal convictions made in 2018/2019 (though details of prosecutions are available in the ‘Enforcement Action’ section of the ICO’s website). Under the DPA 2018, the ICO can now fine organisations for failing to pay the annual data protection fee (whereas under previous law it sought a criminal conviction).

The ICO undertook 31 consensual audits (27 relating to data protection and four to PECR), 14 follow-up audits and 89 advisory visits (focussing on SMEs and charities). The ICO also issued 11 assessment notices under the GDPR and DPA 2018, in conjunction with its investigations into data analytics.

The ICO received 41,661 data protection complaints. This is almost double those received last year. 81% were concluded within 90 days and 99.5% in 180 days. 34,684 complaints were closed during the course of the year (including some rolled over from the previous year). 38% of the complaints were about subject access requests (1% down from last year), and this remains the most common issue for data protection complaints. Disclosure of data, the right to prevent processing, security and inaccurate data remain other common areas.

The ICO received 138,368 reports of concerns under PECR (including unsolicited marketing communications) (an increase of 26% from last year, but less than the year before that). In relation to telesales and spam texts, a bar chart1 indicates that calls with a recorded voice generated the most complaints (64,798), followed by calls where the recipient spoke with a person (57,502) and then spam texts (14,665). It is unclear how email (and fax) marketing concerns, and cookies concerns, fit into the picture.

The ICO also has responsibility for the Telephone Preference Services (TPS), the opt-out register for people to record their preference not to receive unsolicited marketing calls. As at May 2019, there were 18.5m numbers on the TPS register and 2.2m numbers on the Corporate Register. Over 616,000 people registered with TPS during the course of the year and 52,503 complaints were received from registrants that unsolicited marketing calls had been received.

There were 13,840 self-reported personal data breaches. This is an increase of 320% from last year, and reflects the new GDPR requirements to report personal data breaches. In 82% of the cases assessed, no further action was required by the ICO. In 17% of cases, the ICO required that the organisations take further action. A small minority led to further actions such as additional investigations or pursuing a monetary penalty.

For the first time in recent years, ‘general business’ exceeded the health sector in the number of breaches reported (18.13% coming from general business and 16.25% from the health sector). The education sector, and finance, insurance and credit, also had percentages over 10%. The ICO noted that reporting can be higher where there are dedicated DPOs and well-developed breach reporting processes.

The ICO received 6,418 complaints about freedom of information, an increase of 713 or 12% from last year. 6,293 cases were closed during the year; 72% were concluded within 90 days and 86% within 180 days. 42% of the cases were about local government, 18% about central government, 14% about police and criminal justice, 11% about the health sector and 6% about the education sector. In 23% of the cases a decision notice was served. As with last year, a lot of complaints (40%) were made too early before internal reviews by the relevant public authorities had been completed or without all necessary information.

There were 246 appeals to the Information Rights Tribunal (down from last year), and only 28.3% of appeals finished during the year were allowed or part allowed.

The ICO also laid a report to Parliament setting out the case to extend the scope of freedom of information law to cover the work of private organisations providing a public function.

2,326 information requests were made to the ICO. This is up 817 or 54% from last year, and 2,282 were completed. 887 were made under data protection laws, 1,096 under freedom of information laws, and 299 were hybrid.

Olivia Whitcroft, principal of OBEP, 11 July 2019

1 Confusingly, the colours for different years are reversed from those used in the data protection section!

This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details