On June 20, 2013, the UK Information Commissioner’s Office (“ICO”) launched its Annual Report and Financial Statements for 2012/13 (the “Report”). Introducing the Report, Information Commissioner Christopher Graham strongly emphasized that, as consumers become increasingly aware of their information rights, good privacy practices will become a commercial benefit and a business differentiator. He outlined the seven key “e”s of the ICO’s role: enforce, educate, empower, enable, engage, and to be effective and efficient.
Enforcement
During the financial year 2012/13, the ICO’s civil enforcement team investigated 1,300 cases, up 45% from the previous year. The ICO also:
- issued 23 penalties, totaling over £2.6 million;
- received 155,000 complaints relating to nuisance marketing calls and spam SMS text messages;
- issued its first monetary penalty for a breach of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”), against Tetrus Telecoms in November 2012; and
- issued its first monetary penalty for violations related to cold-calling, against DM Design Bedrooms Ltd, in March 2013.
Education
The ICO issued guidance on how to comply with the new cookie requirements. It also updated or published 55 pieces of advice relating to the Freedom of Information Act 2000 (“FoIA”). Additionally, it published its Anonymization Code of Practice and helped set up the UK Anonymization Network.
Empower
Commissioner Graham reported that individuals’ awareness of their rights under FoIA are back to peak levels of 86%, last recorded in 2007. Awareness of individual rights under the Data Protection Act 1998 (“DPA”) are slightly higher, at 87%. Further, the ICO is piloting a program in schools to include information rights in the national curriculum.
There is therefore evidence of increasing consumer awareness and expectations. Commissioner Graham warned organizations that they will lose customers if they do not have robust data handling practices. He heralded 2013 as the “year that organizations will realize the commercial imperative […] of properly handling consumer data.”
Enable
Commissioner Graham emphasized that the purpose of the DPA is not to say “no” or to prevent organizations from processing personal data. During 2012/13, the ICO published guidance to help organizations process personal data in the right way and in accordance with the requirements of the DPA, e.g., the Data Sharing Code of Practice.
The ICO also conducted 58 consensual audits (a 38% increase from the previous year) and 78 advisory visits (representing a 30% increase from last year), to help assist organizations meet their data protection compliance obligations. The ICO also prepared outcome reports, which highlight common themes of good practice and areas for improvements across specific industries and sectors.
Engage
Commissioner Graham emphasized the importance of the ICO keeping up with current developments, and being aware of the latest technology, policy and business news. This last year, the ICO has been involved with the review of FoIA, the UK government’s agenda of transparency and open data, the Leveson Inquiry, and the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”).
Effective and Efficient
ICO Director of Operations, Simon Entwisle, explained some of the key operational statistics for 2012/13. The ICO:
- had a 3.7% increase in incoming calls to its helpline. The ICO uses the topics of helpline calls to help inform and improve their website FAQs section. The ICO hopes that by improving the FAQs section, they will receive fewer queries, and in fact saw a drop in email queries of approximately 10%;
- dealt with a DPA caseload of 13,802, up 6.3% from the previous year’s 12,980 cases. 70% of cases were closed within 90 days, and 96% within six months. As in previous years, approximately 50% of complaints relate to access requests. Of closed cases, in approximately 65% of complaints, the ICO did not find that the DPA had been breached. The ICO aims to improve guidance available to individuals about the DPA in the hope that individuals will consequently only lodge complaints having merit;
- dealt with a PECR caseload of 155,425 complaints. The ICO expected to receive high numbers of complaints in relation to telemarketing calls and spam text messages, so they set up a specific complaints channel to report complaints online. Approximately 50% of the complaints related to recorded voice calls, approximately 25% related to live calls, and approximately 25% to spam texts. The ICO gathered aggregate data through the online tool in order to identify the key culprits. The ICO contacted the organizations concerned and called some in for meetings. The ICO was able to educate some organizations to improve their compliance, but ultimately will issue monetary penalties if organizations will not comply; and
- received limited complaints about cookies, only 685 throughout the year.
Looking Ahead
The outcome of the Proposed Regulation remains uncertain, pending legislative debate and negotiations between the European Parliament and the Council of the European Union. However, the impact of the Proposed Regulation likely will be significant. In particular, the ICO questions how the ICO would be funded under the Proposed Regulation, which would eradicate the notification system. In 2012/13, the ICO raised £16.06 million in revenue from the notification framework, and both the ICO and UK Ministry of Justice have questioned how this funding shortfall would be met. The ICO also is particularly troubled by the new obligations the Proposed Regulation would impose on data protection authorities, including prescriptive requirements such as prior authorization procedures and the consistency mechanism. Other key upcoming issues likely to impact the ICO significantly in 2013/14 include changing technology, open data and big data and further FoIA budget cuts.
In the near future, the ICO will launch a consultation with its staff and stakeholders regarding the ICO’s future vision. Specifically, the consultation will ask:
- How do you think the ICO is doing?
- What sort of regulator should the ICO be?
- How should it be paid for?
The ICO will use the consultation responses to inform its 2014/15 corporate plan.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code