ICO publishes Annual Report 2019/2020

On 20 July 2020, the UK Information Commissioner’s Office (ICO) published its annual report, containing details of its activities and financial statements between April 2019 and March 2020. It is Elizabeth Denham’s fourth annual report as the Information Commissioner.

Key areas of the ICO’s work have included the following:

  • guidance and discussions on facial recognition, artificial intelligence and use of data relating to children; and the ICO published its Age Appropriate Design Code in January 2020;
  • the ICO’s regulatory sandbox service, which started in 2019. This allows selected organisations to draw on guidance and expertise from the ICO whilst developing innovative new products and services with a public benefit, with data protection by design in mind;
  • guidance and discussions on data protection and COVID-19, which arose towards the end of the year which the report covers. The ICO has published guidance on how it will regulate during COVID-19, and has engaged with government and health authorities;
  • guidance on data protection and Brexit implications;
  • enforcement action under the previous Data Protection Act 1998 (in relation to activities or incidents taking place prior to May 2018), under the Data Protection Act 2018, and under the Privacy and Electronic Communications Regulations 2003 (PECR) (for direct marketing breaches).

The ICO’s enforcement action included the notices of intention to fine British Airways and Marriott over £183m and £99m (respectively) (which had arisen prior to publication of last year’s report, but fell into the current year). The regulatory process on these matters is ongoing, and there is no report of any final fines having yet been issued.

The full annual report is available at www.ico.org.uk.

Enforcement and caseloads – some statistics

The ICO received 395,197 calls to its helpline over the course of the year (with 86% answered), which is a decrease from last year. There were also 60,838 live chat requests (with 89% answered) – up over 75% from last year, following a new option to queue to chat. There were 22,050 requests for written advice (down slightly from last year).

During the course of the year, the conducted over 2,100 investigations. It issued 54 information notices, eight assessment notices (see also below), seven enforcement notices, and four cautions. It also undertook eight criminal prosecutions and imposed fifteen administrative fines.

The fines included:

  • £120,000 issued to Hall and Hanley Ltd for sending over 3.5m unlawful direct marketing text messages;
  • £500,000 issued to DSG Retail Limited after a major cyber-attack;
  • £500,000 issued to CRDNN Limited for making more than 193m automated nuisance calls; and
  • £500,000 issued to Cathay Pacific Airways Limited for failing to secure its customers’ personal data.

The ICO undertook 57 consensual audits and follow-up audits. It also completed compulsory audits under assessment notices of seven political parties and the Crown Prosecution Service.

The ICO received 38,514 data protection complaints. This is slightly lower than last year, although still a significant increase from previous years. 27% were concluded within 30 days, 74% within 90 days and over 98% within six months. 39,860 complaints were closed during the course of the year (including some rolled over from the previous year). The outcomes varied, but the percentage of cases where concerns were raised or infringements found was similar to the percentage of cases where no infringement was found. The most complaints were in the ‘general business’ sector, followed by local government, and the health, internet and lenders sectors.

46% of the complaints were about subject access requests (a significant increase from 38% last year), and this remains the most common issue for data protection complaints. Disclosure of data, the right to prevent processing, security and inaccurate data remain other common areas.

The ICO received 127,940 reports of concerns under PECR (including unsolicited marketing communications) (a decrease of 7.5% from last year). In relation to telesales and spam texts, a bar chart1 indicates that calls with a recorded voice generated the most complaints (51,954), followed by calls where the recipient spoke with a person (50,647) and then spam texts (14,343). There were 2,544 concerns raised about use of cookies; about double the figure from last year. It is unclear how email (and fax) marketing concerns fit into the picture.

There were 11,854 self-reported personal data breaches. This is a decrease of about 2,000 (or 14%) from last year, though still a significant increase from pre-GDPR reporting. In a very high percentage of cases assessed – 95% – no further action was required by the ICO. In only 5% of cases, the ICO required that the organisations take further action. A small minority led to further actions such as pursuing a civil monetary penalty.

The health sector returned to the top in the number of breaches reported (19.66%), having taken a break from the top spot last year to make room for ‘general business’ – which this year was second at 17.16%. The education sector had 14.11%, followed by finance, insurance and credit at just under 10%. Local government and the legal sector followed.

The ICO received 6,367 complaints about freedom of information, a very similar number to last year. 6,421 cases were closed during the year; the charts in the report aren’t wholly clear, but it appears that over 60% were concluded within 30 days, over 70% were concluded within 90 days and 88% within six months. 47% of the cases were about local government (which was also the highest sector last year), 17% about central government, 16% about police and criminal justice, 12% about the health sector and 6% about the education sector. 1,446 statutory decision notices were issued; 697 complaints were not upheld, and 749 were upheld or partially upheld. As with previous years, a lot of complaints (36%) were made too early before internal reviews by the relevant public authorities had been completed.

There were 311 appeals to the Information Rights Tribunal (up from last year), though only 23% of appeals finished during the year were allowed or part allowed.

2,747 information requests were made to the ICO. This is up 421 or 18% from last year, and 2,794 were completed. 1,018 were made under data protection laws, 1,367 under freedom of information laws, and 408 were hybrid, and 1 was made under the Environmental Information Regulations 2004.

Olivia Whitcroft, principal of OBEP, 21 July 2020

This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details