With data breaches and the new cookies rules never far from the press or industry agendas, and with a new European framework on the horizon, the past year has been a busy one for the Information Commissioner’s Office (ICO). Its Annual Report for 2011/12, along with a companion webcast, reflect this changing privacy landscape. Both offer useful insights into the ICO’s priorities for the coming year.
In terms of enforcement action (perhaps one of the most useful indicators of risk for businesses), the focus remains on major data breaches, with the majority of breaches occurring in the local government sector. The ICO has ramped up its enforcement activity, with 10 civil monetary penalty notices totalling £1,171,100 issued between March 2011 and March 2012 (though monetary penalties still are relatively small and infrequent compared to those issued by the financial or environmental regulators, for example). This total will exceed £2,000,000 following the ICO’s latest significant fine of £325,000 against Brighton and Sussex University Hospitals NHS Trust, after hard drives containing the sensitive personal data of tens of thousands of patients and employees were sold on an online auction site by an individual engaged by the Trust’s IT services provider. The largest ICO fine imposed on a private business to date is the £150,000 monetary penalty issued this July against Welcome Financial Services Limited. The fine followed the loss of unencrypted back-up tapes containing personal data, including bank account information, from over 500,000 employees and customers.
Data subject complaints are another key enforcement trigger. Complaints about data subject access requests account for a massive 45 percent of all complaints filed with the ICO. Those are followed by complaints about inappropriate disclosures of data (e.g. disclosures of which the data subjects are not informed, disclosures to incorrect recipients or outside the scope of the original data processing, or without the data subject’s consent where required) comprising 17 percent of the total. For organisations with users and customers in the UK, time and resources will be well spent in ensuring access request response procedures are thorough and efficient.
Looking forward to the coming year, the ICO’s focus is on keeping up with organisations constantly striving to maximise the value and potential of personal data in innovative ways. The ICO sought to get businesses on side with a timely reminder of the value consumers place on their privacy and on transparency from organisations they provide data to. This is an important message, not only for the ICO’s purposes but for all those organisations seeing data privacy as merely another compliance risk to be attended to as cheaply as possible. This approach may mean losing out as privacy aware consumers demand effective, streamlined and transparent privacy protections.
The ICO also took the opportunity to reinforce its pragmatic approach to the new cookies rules, stating in the webcast (click the above image) that it will take, “appropriate and proportionate enforcement action in the coming months where businesses cannot demonstrate that they are taking reasonable steps to comply with what are, admittedly, challenging provisions.” The ICO is unlikely to be soft on those businesses blatantly disregarding the new rules (particularly in light of the reported 43 percent increase in complaints around e-marketing in general), but its proportionate approach will remain.
This latest Annual Report does not introduce any radical change of direction for the ICO, but is more of a reflection of the on-going focus on maintaining protection of personal data and securing individual rights in light of rapidly advancing technological developments. The report reinforces the ICO’s current approach towards enforcement–this at least is reassuring to businesses, which face far greater changes ahead under the proposed European privacy reforms.