Privacy & Information Security Law Blog

On June 20, 2013, the UK Information Commissioner’s Office (“ICO”) launched its Annual Report and Financial Statements for 2012/13 (the “Report”). Introducing the Report, Information Commissioner Christopher Graham strongly emphasized that, as consumers become increasingly aware of their information rights, good privacy practices will become a commercial benefit and a business differentiator. He outlined the seven key “e”s of the ICO’s role: enforce, educate, empower, enable, engage, and to be effective and efficient.

Enforcement

During the financial year 2012/13, the ICO’s civil enforcement team investigated 1,300 cases, up 45% from the previous year. The ICO also:

• issued 23 penalties, totaling over £2.6 million;
• received 155,000 complaints relating to nuisance marketing calls and spam SMS text messages;
• issued its first monetary penalty for a breach of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”), against Tetrus Telecoms in November 2012; and
• issued its first monetary penalty for violations related to cold-calling, against DM Design Bedrooms Ltd, in March 2013.

Education

The ICO issued guidance on how to comply with the new cookie requirements. It also updated or published 55 pieces of advice relating to the Freedom of Information Act 2000 (“FoIA”). Additionally, it published its Anonymization Code of Practice and helped set up the UK Anonymization Network.

Empower

Commissioner Graham reported that individuals’ awareness of their rights under FoIA are back to peak levels of 86%, last recorded in 2007. Awareness of individual rights under the Data Protection Act 1998 (“DPA”) are slightly higher, at 87%. Further, the ICO is piloting a program in schools to include information rights in the national curriculum.

There is therefore evidence of increasing consumer awareness and expectations. Commissioner Graham warned organizations that they will lose customers if they do not have robust data handling practices. He heralded 2013 as the “year that organizations will realize the commercial imperative […] of properly handling consumer data.”

Enable

Commissioner Graham emphasized that the purpose of the DPA is not to say “no” or to prevent organizations from  processing personal data. During 2012/13, the ICO published guidance to help organizations process personal data in the right way and in accordance with the requirements of the DPA, e.g., the Data Sharing Code of Practice.

The ICO also conducted 58 consensual audits (a 38% increase from the previous year) and 78 advisory visits (representing a 30% increase from last year), to help assist organizations meet their data protection compliance obligations. The ICO also prepared outcome reports, which highlight common themes of good practice and areas for improvements across specific industries and sectors.

Engage

Commissioner Graham emphasized the importance of the ICO keeping up with current developments, and being aware of the latest technology, policy and business news. This last year, the ICO has been involved with the review of FoIA, the UK government’s agenda of transparency and open data, the Leveson Inquiry, and the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”).

Effective and Efficient

ICO Director of Operations, Simon Entwisle, explained some of the key operational statistics for 2012/13. The ICO:

• had a 3.7% increase in incoming calls to its helpline. The ICO uses the topics of helpline calls to help inform and improve their website FAQs section. The ICO hopes that by improving the FAQs section, they will receive fewer queries, and in fact saw a drop in email queries of approximately 10%;
• dealt with a DPA caseload of 13,802, up 6.3% from the previous year’s 12,980 cases. 70% of cases were closed within 90 days, and 96% within six months. As in previous years, approximately 50% of complaints relate to access requests. Of closed cases, in approximately 65% of complaints, the ICO did not find that the DPA had been breached. The ICO aims to improve guidance available to individuals about the DPA in the hope that individuals will consequently only lodge complaints having merit;
• dealt with a PECR caseload of 155,425 complaints. The ICO expected to receive high numbers of complaints in relation to telemarketing calls and spam text messages, so they set up a specific complaints channel to report complaints online. Approximately 50% of the complaints related to recorded voice calls, approximately 25% related to live calls, and approximately 25% to spam texts. The ICO gathered aggregate data through the online tool in order to identify the key culprits. The ICO contacted the organizations concerned and called some in for meetings. The ICO was able to educate some organizations to improve their compliance, but ultimately will issue monetary penalties if organizations will not comply; and
• received limited complaints about cookies, only 685 throughout the year.

Looking Ahead

The outcome of the Proposed Regulation remains uncertain, pending legislative debate and negotiations between the European Parliament and the Council of the European Union. However, the impact of the Proposed Regulation likely will be significant. In particular, the ICO questions how the ICO would be funded under the Proposed Regulation, which would eradicate the notification system. In 2012/13, the ICO raised £16.06 million in revenue from the notification framework, and both the ICO and UK Ministry of Justice have questioned how this funding shortfall would be met. The ICO also is particularly troubled by the new obligations the Proposed Regulation would impose on data protection authorities, including prescriptive requirements such as prior authorization procedures and the consistency mechanism. Other key upcoming issues likely to impact the ICO significantly in 2013/14 include changing technology, open data and big data and further FoIA budget cuts.

In the near future, the ICO will launch a consultation with its staff and stakeholders regarding the ICO’s future vision. Specifically, the consultation will ask:

• How do you think the ICO is doing?
• What sort of regulator should the ICO be?
• How should it be paid for?

The ICO will use the consultation responses to inform its 2014/15 corporate plan.