The Information Commissioner’s Office have released their Annual Report for 2018. This blog summarises the key messages.
Information Commissioner’s Thoughts
Elizabeth Denham highlights the following in her foreword to the Report.
- The ICO has been involved in producing significant GDPR guidance in the last 12 months and has also run an internal change management process to ensure it is up to the demands placed upon it by GDPR (think: extra staff, new breach reporting functions and helplines).
- The ICO’s pay levels have fallen out of step with the rest of the public sector. UK Government has given the ICO 3-year pay flexibility and some salaries have increased.
- The ICO has taken decisive action on nuisance calls and misuse of personal data.
- The ICO began investigation of over 30 organisations in relation to use of personal data and analytics for political campaigns.
- The ICO launched a “Why Your Data Matters” campaign – designed to work as a series of adaptable messages that organisations can tailor to inform their own customers of their data rights.
The Laws that the ICO Regulates
The Report refers to the Data Protection Act 1998 and the new Data Protection Act 2018 as well as the Freedom of Information Act 2000.
But don’t forget about the Privacy and Electronic Communications Regulations and the Investigatory Powers Act 2016. The ICO is also an authority to which organisations can report cyber incidents under the new Network and Information Systems Regulations 2018 (NIS).
The ICO has produced a Guide to GDPR – definitely worth a read.
The ICO has also produced an introduction to the Data Protection Bill and a Guide to the Law Enforcement Directive as well as significant other guidance.
The ICO have also supported other bodies in producing their own GDPR guidance:
- Direct Marketing Association;
- The National Health Service (NHS);
- The Health Research Authority; and
- The Department for Education.
There is also a new guidance on international transfers to reflect the Privacy Shield and guidance on the new case law on the concept of “disproportionate effort” in the Subject Access Code of Practice.
Data Sharing Codes of Practice
The ICO engaged with UK Government on data sharing codes arising from the Digital Economy Act 2017. This includes the publicly available register of information sharing agreements.
Automatic Number Plate Recognition data used to be retained for 2 years. The ICO and the Surveillance Camera Commissioner raised concerns and the UK police have agreed to reduce the retention period to one year.
Participation in Global Networks
The ICO led the 2017 Global Privacy Enforcement Network Sweep with 24 regulators around the world looking at the control users have over their personal information. Privacy Notices of 455 websites that were assessed and often found inadequate.
Civil Monetary Penalties – Fines
The ICO issued 11 fines for serious security failures. The joint highest fine ever (£400k) was served on Carphone Warehouse. There were significant fines for nuisance callers and spammers.
The ICO launched 19 prosecutions and gained 18 convictions for data theft under the old Section 55 Data Protection Act 1998.
It also ran two investigations into acquisition of data in the Automotive Repair Industry and alleged breaches of Section 55 DPA 1998 by clients tasking private investigators to unlawfully obtain personal data. The case law involving the prosecution of private investigators and clients continues.
Self Reported Data Breaches
The number of self report breaches has increased by 29%. Under GDPR it is mandatory to report data breaches to the ICO. There has been a significant spike in GDPR breach notification since 25 May 2018.
The sector that reported the largest number of breaches was health (37% of all cases).
Telephone Preference Service (TPS)
This is the central UK opt out register where individuals can object to telemarketing calls. In January 2017, the ICO took over responsibility for running TPS. This enables quicker receipt and assessment of intelligence for ICO enforcement teams.
Registration/notification fees collected in the last year totalled £21 million. This regime has, with effect from 25 May 2018, been replaced by a new fee regime which will be used to fund the ICO going forward.
For obvious reasons, there has also been a spike in calls to the ICO helpline. Call numbers have increased by 24.1%. Live chat has increased by 61.5%. Written advice has increased by 40%. Needless to say, the ICO is expanding its operations and recruiting more staff.
We think the ICO has probably got enough of it on its plate with GDPR, e-privacy and all the new guidance. Then there’s Brexit! There’s actually little comment on Brexit in the Annual Report other than to flag that it is one of the issues for the ICO. Then again much of the detail on this has yet to be worked out.
The Commissioner concludes in her “foreword” that “the ICO is the proactive digital regulator the UK needs for ongoing challenges of upholding information rights in the digital world”.
Much more work to be done!