Retailers Take Note: Data Privacy Trends and Actions for the coming year: Highlights of the Information Commissioner’s Annual Report 2010/11

If the idea of digesting the Information Commissioner’s 86-page long annual report in full doesn’t really appeal to you, then why not let us do the hard work? Below, we highlight not only the key changes to the policy and enforcement objectives of the Information Commissioner’s Office (“ICO”) over the past year, and the likely indications from the report of the developments to come, but also our suggested actions and comment to help you avoid falling foul of data privacy compliance, risking damage to your reputation and incurring unnecessary cost and resource further down the line.

New powers

The ICO’s enforcement arsenal was enhanced significantly in April 2010 when it was granted the power to fine organisations up to £500,000 for serious breaches of the Data Protection Act. Four monetary penalties have been issued since then, as well as five prosecutions brought in the last year. However, the ICO has been keen to stress that such tactics are a means of last resort, and seeks to resolve cases informally where there is opportunity to do so.

Pitmans Comment; it is worth noting that since May 2011 the ICO now also has the power to fine organisations up to £500,000 for serious breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the previous power to fine only extended to serious data breaches, not breaches of the laws relating to electronic marketing and privacy).

In addition, the ICO also has a new power to audit measures taken by a public electronic communications service provider (service provider) to:

  • safeguard the security of its service; and  
  • comply with a new personal data breach notification and recording requirement.

This second requirement is a significant development and, where a breach may adversely affect the personal data or privacy of a user, a service provider is not only obliged to notify the ICO, but also the user concerned. This has a significant cost and PR implication.

The ICO favours prevention over cure; it tends to accept undertakings (where an organisation commits to making specific improvements) as a precursor to more formal action. The number of instances where the ICO has approached organisations to offer good practice audits has increased dramatically over the past year, although take-up in the private sector has been poor. Nevertheless, the ICO issued 26 audits in 2009/10, 60% more than in 2009/10. It also released several codes of practice last year to help businesses stay on the straight and narrow, including a Code of Practice on Personal Information Online which was launched in June.

Pitmans Suggested Action: ensure you have a paper trail evidencing compliance and training. Refresh staff by periodic training and regular security reviews and conduct vulnerability testing to public accessing applications. It is clear that audits are becoming more popular. Always be prepared.

Emerging enforcement trends

The hot topics

Subject access requests were the most popular topic of complaint, accounting for nearly a third (28%) of all issues reported to the ICO. Since this is the area where, statistically, data controllers tend to slip up, companies are well advised to ensure they have appropriate systems in place to deal with subject access requests within the applicable time limits. Inaccurate data (15%), inappropriate disclosure of data (12%), and automated and live marketing calls (9% each) are the cause of the next most numerous complaints. There has also been an increase of 17% in the number of freedom of information cases referred to the ICO over the past year.

The ICO has earmarked the challenges perpetuated by (or, indeed, in spite of) technological advances as a priority. The ICO is concerned that a significant amount of highly sensitive personal data is still sent by fax, despite the securer alternatives offered by newer technology. Failures by organisations to encrypt personal data in appropriate circumstances remain also remain a key concern.

The new rules in relation to cookies are also firmly on the agenda. Although the lead-in period for the new rules expires in May 2012; the ICO has indicated that it will intervene in the meantime in certain circumstances: “we shall hold our enforcement powers in reserve, intervening in the first year only where it is clear that a website owner is doing little to attempt to comply”.

Pitmans Suggested Action: review what technical and operational security measures your organisation currently employs in relation to sending personal data and keeping data secure. If your staff are using mobile devices and laptops, review and implement encryption software solutions.

Companies would also be well advised, if they have not already done so, to conduct a digital marketing audit and review their data processing and collecting practises in the e-commerce environment. Please let us know if you would like assistance with such an audit.

The targeted organisations

Essentially, the ICO targets those organisations about which it receives the most complaints. The ICO affirmed that it also uses a risk-based process to identify and contact organisations that handle personal information, which takes into account a number of factors such as volume and type of data an organisation holds, complaints received by the ICO and cases where enforcement action was considered. It then uses the information from individual cases to build a picture of how seriously data controllers take the issue of handling personal data or providing information the public has a right to see.

The ICO has declared that it now expects more from data controllers when complaints are reported – as well as asking them to explain the circumstances of individual complaints, it now asks for information about how the data controller intends to put things right and how they adhere to general information rights obligations.

Pitmans Suggested Action: respond to complaints and proactively manage any inappropriate use of personal data carefully. Consider preparing a contingency response plan to any complaints, with a pre-prepared response to customers, the ICO and the press.

The targeted sectors

Over the past year, the ICO launched campaigns aimed at estate agents and private medical practitioners to remind them of their obligations to notify the ICO if they handle personal data. Accordingly, we should probably expect similar campaigns in the future directed at other industries in the private sector that routinely handle personal data, e.g. education and training providers, telecoms companies, and online retailers.

Pitmans Suggested Action: retailers, in particular, take note. The ICO issued a statement on 9 August in the light of a security breach suffered by Lush, the cosmetics retailer, making it clear that etailers must ensure they keep customers’ personal data secure. An extract of the statement is reproduced below: -

Acting Head of Enforcement at the ICO, Sally Anne Poole said:

“With over 31 million people having shopped online last year, retailers must recognise the value of the information they hold and that their websites are a potential target for criminals.   “Lush took some steps to protect their customers’ data but failed to do regular security checks and did not fully meet industry standards relating to card payment security. Had they done this, it may have prevented the fraud taking place and could have saved the victims a great deal of worry and time invested in claiming their money back. This breach should serve as a warning to all retailers that online security must be taken seriously and that the Payment Card Industry Data Security Standard or an equivalent must be followed at all times.”

In the meantime, the ICO will be consulting on a revised Information Rights Strategy showing how it prioritises the different sectors and subjects for regulatory attention, which is definitely a development to watch out for!

The likely consequences

The ICO’s report contains a selection of salutary tales demonstrating exactly how not to deal with a data protection breach. These case studies indicate the circumstances that the ICO is likely to consider as “aggravating factors” when determining whether to issue monetary penalties. As well as the impact and severity of breach the ICO will consider a number of factors, such as whether:

  • a risk assessment was made; 
  • alternative means of storing/transmitting data were considered/devised; 
  • other measures were employed to minimise risks (e.g. by using a ‘ring ahead’ system to increase security of fax transmissions); 
  • the organisation followed its own policies; 
  • effective remedial action was taken following the breach (such as the re-training of staff);
  • the organisation’s officers and staff understand the cause and significance of the breach.

Pitmans Suggested Action: conduct Privacy Impact Assessments (PIA) and employ Privacy by Design (PbD) into concept and new product design to ensure that any privacy implications of new technologies are considered at an early stage. This may reduce the likelihood of incurring substantial re-development costs at a later stage, as well as the risk of complaint, adverse PR and enforcement.

Improved efficiencies

The number of decision notices issued by the ICO increased significantly from 628 in 2009/10 to 817 in 2010/11, However, the appeal rate has remained constant at around 25%, meaning, effectively, that there has been no corresponding deterioration in the quality of decision making. The ICO has put this dramatic improvement down to the introduction of new structures and processes that has allowed it to deal more quickly with complaints.

There has also been a blitz on freedom of information complaints. Over the last 12 months, the number of complaints that have been in the ICO’s in-tray for more than a year has reduced from 117 complaints to just three.

Involvement in law making

In terms of the ICO’s contributions to UK legal policy, it has had a busy year. The ICO issued responses in December 2010 and February 2011 to the Protection of Freedoms Bill, and provided evidence to the Public Bill Committee in March 2011. Also in December last year, the ICO issued a statement welcoming proposals set out by the government to expand the scope of the Freedom of Information Act.

At present, the ICO is engaged in the review of the OECD’s Privacy Framework and modernisation of the Council of Europe’s Data Protection Convention, and, through its membership of the Article 29 Working Party, the ICO is also reviewing the EU Data Protection Directive. The ICO will also be contributing to the post-legislative scrutiny of the Freedom of Information Act by the House of Commons Justice Committee.

This year, the ICO appointed Simon Rice, who has a background in delivering databases, software tools and data analyses for a government research agency, as the ICO’s first technology policy advisor to assist with the work on policy development, investigations and complaints handling. Simon’s appointment is complemented by the creation of a Technology Adviser Panel, whose role is to assist the ICO in producing up-to-date, relevant guidance on technical innovation and up-and-coming issues.

Pitmans Suggested Action: technology providers and organisations using new technologies to gather and analyse and mine user profiling data beware. The ICO is investing more in analysing new technologies and is likely to be more savvy in its enforcement of non-compliant data repositories and applications. Again, consider privacy at an early stage of design and development and, before licensing a new CRM system or data tool, ask the relevant supplier to confirm what steps it has taken to ensure that it complies with data privacy laws (whether it be at home or abroad).