The ICO, the UK’s data protection authority, published its 2014-2015 annual report. Most noticeably, the ICO announced that they had enforced no successful appeals against Monetary Penalty Notices. The ICO can impose civil monetary penalties of up to £500,000 for serious breaches of the Data Protection Act 1998, but this can be reduced by 20% if paid within 30 days, and will not be enforced until the period for appeal has ended. In contrast, nearly £600,000 worth of monetary penalties were successfully challenged on appeal last year.
This 100% success rate meant that, despite a significant drop in the size of financial penalties issued (from almost £2 million in 2013/2014 to just £1.1 million), the amount received actually only fell by £115,000. The reduction in the amount of fines issued corresponds with the fact that the number of concerns received by the ICO this year also fell, suggesting that organisations are following ICO guidance and improving their data protection compliance.
The ICO reported that an individual’s right of access again generated the greatest number of complaints under the Data Protection Act. The ICO also saw a dramatic increase of 11% in complaints relating to the Privacy and Electronic Communications (EC Directive) Regulations 2003 (‘PECR’), with 180,000 complaints during 2014/15. The majority of complaints related to nuisance calls and the use of web browser cookies and related technologies. PECR governs electronic communications, including direct marketing via email and telephone, and the use of tracking technologies such as cookies, as well as data breach reporting by telecoms providers.
Other enforcement action taken by the ICO during the past year includes the issuance of the first fixed penalty of £1,000 under PECR against a communications service provider for failure to report a data security breach within 24 hours. The ICO also prosecuted 13 cases involving unlawfully obtaining or disclosing personal data, which resulted in 10 criminal convictions.
The ICO issued penalties totalling £692,500 for data security breaches/loss; and, according to the report, organisations in the health care industry had the majority of data loss events.
This report helps to demonstrate that the ICO continues to, in their own words, get the job done, and organisations should take note of any guidance they offer to ensure they are not forced to deal with any enforcement action of their own.