The UK Information Commissioner’s Office (ICO) has published its annual report, containing details of its activities and financial statements between April 2020 and March 2021. The Information Commissioner’s forward is dated 22 June, but it appears to have been published rather under the radar!
Unsurprisingly, a focus of the report is Covid-19, which has impacted both the way in which the ICO has worked, and the types of issues which the ICO has been addressing (such as contact tracing and Covid-19 apps). The ICO has also continued to progress its work in areas such as artificial intelligence, children’s privacy, data sharing, accountability, and data analytics.
The ICO’s enforcement action included the final fines for British Airways of £20m, and for Marriott Hotels of £18.4m. These are high fines, but there was a significant reduction from the proposed fines the year before, following consideration of mitigating factors and the impact of the Covid-19 pandemic.
The full annual report is available at www.ico.org.uk.
Enforcement and caseloads – some statistics
The ICO received 319,377 calls to its helplines over the course of the year, including a new phone line specifically to help organisations adapt the way they work during the pandemic. 92% of calls were answered. There were also 80,270 live chat requests (with 95% answered). There were 11,942 requests for written advice (almost halved from last year). Confusingly, though only the figure for written advice seems significantly lower than last year, the ICO reports that it saw a marked reduction in the number of customers (organisations and members of the public) who asked the ICO directly for information rights advice by email, phone or live chat.
During the course of the year, the ICO imposed in total £41,959m in civil monetary penalties (not including £2.99m which is still under appeal). £38.4m of this relates to the British Airways and Marriott Hotels fines, as referred to above. The report does not seem to set out figures for the specific number of fines, nor of information notices, assessment notices, enforcement notices, cautions and criminal prosecutions (as it has done in previous years).
The report refers to specific industries in which the ICO has undertaken audits, including political parties, credit reference agencies and the adtech industry. However, unlike previous reports, the report does not appear to set out the total number of audits which it conducted.
The ICO received 36,607 data protection complaints. This is slightly lower than last year. Over 31,000 complaints were closed during the course of the year (there seem to be different figures in the text and the diagram of the report), which is less than last year. The ICO states in its report that it is also less than they would have liked, and they were dealing with the challenges of lockdown and a fully remote workforce. 9% of complaints were concluded within 30 days, 23% within 90 days and 84% within six months. These percentages are all much lower than last year, perhaps also representing the challenges faced by the ICO. The most complaints were in the ‘finance, insurance and credit’ sector, followed by ‘general business’, then ‘online technology and telecoms’. Health, land or property services, and local government were also high on the list.
Unusually, the report does not seem to outline the outcome of the cases (such as percentages of cases where an infringement or no infringement was found), nor does it set out the reasons for the complaints. Over the past few years, subject access requests have topped the list of reasons for complaints. It is therefore not clear whether this continues to be the case!
There were 9,532 self-reported personal data breaches. This is a decrease of over 2,000 from last year (which was also a decrease from the previous year), which the ICO considers is due to the pandemic. In 71.4% of cases assessed, no further action was required by the ICO. In 21.6% of cases, an investigation was pursued, and in 3.9% of cases, information action was taken.
The health sector stayed at the top in the number of breaches reported (16.8%), and education and childcare was second (13.6%). Retail and manufacture, and finance, insurance and credit were also both over 10%. Local government and the legal sector followed.
The ICO received 4,853 complaints about freedom of information, a reduction from last year. 4,000 cases were closed during the year; the charts in the report aren’t wholly clear (there are two very similar diagrams with different figures), but it appears that 8% were concluded within 30 days, over 42% were concluded within 90 days and 73% within six months. In 44.4% of cases, no action was required, and in 26.6% cases, a decision notice was served. The other cases were informally resolved, or did not relate to information rights. 39% of the cases were about local government (which was also the highest sector last year), 26% about central government, 9% about the health sector and 8% each about the justice sector and the education sector. 1,062 statutory decision notices were issued; 513 complaints were not upheld, and 549 were upheld or partially upheld. It is not specified whether, as with previous years, one of the key reasons for not upholding a complaint is that it was made too early before internal reviews by the relevant public authorities had been completed.
There were 236 appeals to the Information Rights Tribunal (down from last year, but the same percentage of 22%), though only 21% of appeals finished during the year were allowed or part allowed.
2,099 information requests were made to the ICO. This is down from last year, and 2,016 were completed. 738 were made under data protection laws, 1,080 under freedom of information laws, and 197 were hybrid, and 1 was made under the Environmental Information Regulations 2004.
Olivia Whitcroft, principal of OBEP, 14 July 2021
This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details