The Information Commissioner’s Office has released its annual report for 2015-2016. This is is Christoper Graham’s last annual report after 7 years in office. Mr Graham said that there had been a year of “real achievement”. He said “We have delivered on our objectives, responding to new challenges, and preparing for big changes, particularly in the data protection and privacy field.”
The operational headlines from the year are as follows:
- Over 16,300 data protection complaints were made with over 15,700 closed during 2015-16 – 90% of these cases being concluded within three months.
- Over 5,100 access to information complaints with 5,068 closed during the year. Over 70% of complaints resulted in a decision within three months and over 90% of cases were concluded within six months. The ICO issued 1,376 decision notices and there were 275 appeals to the Information Tribunal. The ICO successfully defended over 80% of its decisions.
- The helpline received 204,700 calls during the year – half from the public and half from regulated organisations, 80% of the calls related to data protection issues.
- More than 370 people sought help after search engines refused to remove results about them under the right to be forgotten. About a third of these contacts related to criminal convictions. In a third of the cases the ICO required the search engines to remove results. One enforcement notice was issued against Google Inc and three preliminary enforcement notices were issued against this company. These were complied with.
- The ICO issued 17 civil monetary penalties under the Privacy and Electronic Communications Regulations (PECR) totalling £1,985,000 to organisations pursuing a range of unlawful marketing activities; in particular nuisance calls.
- There were civil monetary penalties under the DPA totalling £550,250 to Bloomsbury Patient Network, The Crown Prosecution Service, The Money Shop and South Wales Police.
- The ICO issued a total of 7 enforcement notices (including the notice directed to Google Inc).
- There were 8 prosecutions under section 17 of the Data Protection Act 1998 for non-notification offences, 3 prosecutions under section 47 for failure to respond to an information notice and three prosecutions under section 55 for unlawfully obtaining data. There were, in addition, three cautions.
In the foreword to the report Mr Graham said that, over the past 12 months
“the ICO has had to respond effectively to the unexpected. Big data breaches such as that at Talk Talk. Acting on newspaper allegations about charity fundraising methods that breached data protection and privacy law. Taking part in the debate on surveillance and security and the Investigatory Powers Bill. And, in its responses following the Schrems Judgment, with all the implications for transatlantic data flows, the ICO’s influential counsel has helped to avert a meltdown. Much more over the following pages”.
The ICO has one of the largest case files for any regulator, and is in the unique position of being both the regulator, and the only body that can issue criminal prosecutions under the Data Protection Act & the Freedom of Information Act. Sadly, the ICO fails to prosecute in the vast majority of complaints, and is a toothless regulator which see’s its role as being only advisory. What is needed is support for civil claims by the ICO, and mandatory enforcement with stiff penalties, and custodial sentencing, for criminal offences. Then Data Controllers will take the DPA & FOIA seriously. As it stands the ICO is something of a joke, and compliance with the DPA & FOIA is ignored..