As the Annual Report for 2017-2018 of the Information Commissioner’s Office (ICO) was published, Information Commissioner Elizabeth Denham said her second year in the role had been one of increasing activity and challenging actions, some of them unexpected.
“This is an important time for privacy rights, with a new legal framework and increased public interest. Transparency and accountability must be paramount, otherwise it will be impossible to build trust in the way that personal information is obtained, used and shared online.”
As well as extensive work to help the public and organisations of all sizes prepare for the European Union’s General Data Protection Regulation (GDPR), and providing expert advice to Government during the passage of the Data Protection Act 2018 through Parliament, the ICO also experienced unprecedented demand for its casework on data protection and freedom of information.
Highlights from the 12 months to 31 March 2018 include a significant increase in data protection complaints (up 15%), self-reported breaches (up 30%) and Freedom of Information complaints (up 5%). Against this increased demand, the ICO closed more cases than in any other year.
The ICO also received a huge increase in telephone, live chat and written queries from the public and organisations, with new telephone services for small organisations and self-reported breaches. In the final quarter, the ICO received 30,000 more calls than in the previous three months.
Importantly, the ICO also created the ‘Your Data Matters’ campaign to inform the public about their rights.
Enforcing the law
The ICO issued the largest number and amount of civil monetary penalties in its history. This included 26 penalties totalling £3.28 million for breaches of electronic marketing laws relating to nuisance calls and spam text messages, along with ten enforcement notices and the execution of three search warrants.
Eleven fines totalling £1.29 million were apportioned for serious security failures under the Data Protection Act 1998. A further 11 fines were given to charities totalling £138,000 for unlawfully processing personal data and an £80,000 fine issued to a data broking organisation.
A total of 19 criminal prosecutions resulted in 18 convictions. A further six cautions were issued and 11 search warrants executed.
Advice for organisations
There has been ongoing engagement work with organisations in the public, private and third sectors to promote compliance with the laws on information rights. The ICO has undertaken 26 new audits, 24 follow-up audits, 43 information risk reviews and 56 advisory visits with SMEs.
The ICO is continuing to play a leading role in European and global policy and enforcement networks, in turn supporting a new International Strategy. There’s also an increased focus on cyber incidents, including a new Technology Strategy and the new ICO Grants Programme designed to support independent research.