Christopher Graham, the UK Information Commissioner, has said that he will support companies to get data protection right, but he will be “on your case” if you get it wrong. The Information Commissioner was speaking at the annual Privacy and Data Protection conference in London on Thursday 13 October 2011. His views come in the wake of the extension of the (fining) power (£500,000 per breach) for breaches of the Privacy and Electronic Communications Regulations and the active enforcement policy adopted by the Information Commissioner's Office (ICO) in the last 12 months.
Role of Data Protection
The Information Commissioner talked about the development of data protection, from being a rather “geeky” area 10 years ago, to the current position where consumers are becoming much more savvy about their data protection rights. He said that it is important for companies to embrace data protection and not simply leave it to the “IT guys”. Customers and businesses are waking up to the importance of the area, as is government. The ICO’s aim is to be recognised, by its stakeholders, as the authoritative arbiter of information rights in the UK.
Complaints and Enforcement Risk
Data protection complaints to the ICO are up, on the half-year, by two per cent on the number of complaints last year. Complaints have risen in relation to spam texts by 200 per cent, and these now constitute 13 per cent of all data protection complaints. Clearly, individuals are waking up to their data protection rights.
The new £500,000 fining power has been used by the ICO on a number of occasions in the last 12 months. The Information Commissioner is also calling for the implementation of the custodial penalty for “data theft” (i.e. breaches of Section 55 of the Data Protection Act) relating to unlawful obtaining or disclosing of personal data. The Information Commissioner takes a serious view of this.
The new rule on cookies, which came into force on 26 May 2011, requires opt-in prior consent where cookies are used to place or store information on the terminal equipment of the user. This, effectively, requires prior consent for online behavioural advertising. The US has adopted the reverse approach (i.e. opt-out). There are indications that work is ongoing to update browsers so as to better enable compliance with the new rules. The ICO will be publishing further guidance on this. However, the Information Commissioner is very clear that the new rule is “the law”. Organisations therefore have a legal obligation to ensure compliance. Organisations also need to undertake an audit of the current use of their cookies to determine how intrusive they are and how best to ensure compliance with the new rules. This should be happening now.
The ICO has been offering free audits to companies for some time. The ICO Audit Manual is available on the ICO website. The Information Commissioner has been disappointed by the take-up. He continues to press for the extension of the compulsory audit powers (currently only applicable to key parts of the public sector) so that it also applies to the private sector. This is the type of audit that Google recently agreed to, the results of which were published in August 2011 and focused on “privacy by design” and training for the relevant engineers and software designers.
Key Risk Areas
The Information Commissioner identified a number of areas as posing particular risks. These are financial services (in particular insurance and car insurance), the healthcare sector and local government. We can expect further pressure on data protection enforcement in these areas and continued calls for the extension of compulsory audit powers.