The Information Commissioner’s Office (ICO) has released its annual report for 2017-8 (PDF).
Unsurprisingly, the report reflects that much of the ICO’s time has been taken up by GDPR and its UK implementation, the Data Protection Act 2018 (DPA 2018). The ICO reports that calls to its helpline rose by almost 25% compared to 2016-7, with requests for written advice rising by 40%. The year’s final quarter was the busiest, receiving 30,000 more calls than the previous three months.
The report also noted a significant increase in reporting to the ICO. Self-reported breaches are up 30% from last year – in a recent webinar, ICO representatives stressed repeatedly that not all breaches need to be reported, and that overreporting creates unnecessary problems for the ICO. Data protection complaints are also up 15%, and freedom of information complaints rose by 5%.
The largest number of breaches reported (37% of all cases) came from the health sector, where breach reporting was already mandatory.
Another significant set of projects mentioned by the ICO during this period was its education and awareness-raising campaigns, particularly the ‘Your Data Matters’ campaign.
“It is only through informed, empowered individuals exercising their information rights that we will see real and sustained compliance across the UK,” the report said.
In addition to changes related specifically to GDPR and DPA 2018, the ICO has also continued its work on cases as usual. This year, the ICO issued the largest number and amount of civil monetary penalties in its history.
Particularly since being assigned statutory responsibility for the Telephone Preference Service in 2017, the ICO has been keen to take action against nuisance calls and other breaches of the Privacy and Electronic Communications Regulations (PECR). 26 penalties totalling £3.28 million were issued for breaches of electronic marketing laws relating to nuisance calls and spam text messages. Ten enforcement notices were issued, and three search warrants executed.
In terms of security failings, record fines were issued. Though not mentioned in the report, the £500,000 fine levied against Facebook sets a record – the second highest were also issued this year, with £400,000 fines served against TalkTalk and Carphone Warehouse. Altogether, at the time of the report’s publication eleven fines, totalling £1.29 million, had been issued for serious security failures under DPA 1998. A further eleven fines totalling £138,000 were issued to charities for unlawfully processing personal data, while an £80,000 fine was issued to a data broking organisation.
The ICO also saw 19 criminal prosecutions for unlawfully obtaining data, resulting in 18 convictions. Six cautions were issued, and a total of eleven search warrants executed.
It also continued its work with businesses, undertaking 26 new audits, 24 followup audits, 43 information risk reviews, and 56 advisory visits to small and medium sized businesses.
“I am heartened to report that we have managed to close more cases than last year,” said Information Commissioner Elizabeth Denham in her foreword. “This is truly impressive considering the same staff working on cases have also had to upskill their knowledge to take account of legislative changes and provide in-house training to new starters at the ICO.”