The Information Commissioner’s Office (ICO) regulates every organisation which deals with personal data and official data in the UK (and sometimes overseas). Its remit extends across the public and private sector, including multinationals, SMEs, public authorities and charities.
Now that Mr John Edwards, the new Information Commissioner, has been in post for over a year, and with data reform on the horizon, the only certainty for information regulation is continuing change. This update sheds some light on the ICO’s priorities and powers in this period.
DEVELOPMENTS IN ENFORCEMENT
Whilst we will continue to see significant fines being imposed, the Commissioner has made it plain that successful regulation cannot be measured by the quantum of fines imposed. It is expected that the ICO will be relying upon a broader range of tools available to encourage and, where necessary, enforce compliance. More nuanced measures of success will be introduced, with the ICO regulating for “outcomes, rather than outputs.”
A new approach to public sector enforcement
In June 2022, the Information Commissioner announced a two year trial of a new approach to enforcement within the public sector; there will now be a focus on reprimands and enforcement notices with fines reserved for “the most egregious cases”. In November 2022, the Information Commissioner explained that fines were but one enforcement tool available for data law breaches. He commented that when the ICO fined public sector bodies, it was punishing the very individuals which the legislation was designed to protect. In line with this new approach:
- The Information Commissioner reduced the fine imposed on the Cabinet Office for the ‘New Year Honours’ data breach from £500,000 to £50,000 in November 2022.
- The Information Commissioner found that the Department for Education conducted inadequate due diligence when allowing a database of pupil qualifications to be accessed by a screening company which provided age verification services for gambling companies. The Information Commissioner commented that using pupils’ learning records to help gambling companies was plainly unacceptable and indicated that the breach “warranted a £10 million fine,” although imposed a reprimand in November 2022 instead.
Publication of reprimands
The Commissioner also committed to more transparency and better certainty, including by publishing selected reprimands from January 2022 onwards.
Reprimands, which set out the Commissioner’s findings and recommendations at the conclusion of an investigation, will be considered for publication in accordance with the Communicating Regulatory and Enforcement Activity Policy. The ICO must have a lawful basis to publish, and consider various factors in considering whether publication is in the public interest or would prejudice its regulatory work. This includes prejudice to a trial or investigation, inclusion of personal or highly commercially-sensitive information and legitimate expectation.
CYBER-SECURITY AND DATA BREACHES
Phishing and cyber-security: “The biggest cyber risk is complacency not hackers”
In October 2022, Interserve Group Limited was found to have failed to adopt appropriate technical and organisational measures following a cyber-attack arising from a single phishing email. The Information Commissioner commented he intended the £4.4 million fine “to cause directors and chairmen to sit up and start asking questions”. The cyber-attack resulted in the compromise of 283 systems and sixteen accounts, disabled the company’s antivirus software, and encrypted current and former employee information, affecting as many as 133,000 employees. The ICO found that Interserve were running outdated support systems and protocols and, importantly, staff had not received adequate security training.
Direct marketing, profiling and the ‘invisible processing of health data’
The ICO continues to investigate and fine companies for breaches of the Privacy and Electronic Communications Regulations (PECR) in connection with direct marketing activities, both unsolicited emails and telephone calls where individuals are registered with the Telephone Preference Service (TPS). The ICO’s Head of Investigations has assured the public that ICO will “continue to take strong action to protect the public”.
The fines issued against Easylife demonstrate that the ICO will also pursue associated GDPR breaches where necessary. Easylife was fined £130,000 in October 2022 for making 1,345,732 direct marketing calls to individuals registered with the TPS. An additional fine of £1.35 million was imposed on the basis that Easylife marketed products to 145,400 individuals on the basis of medical conditions predicted from earlier purchases. The ICO concluded this amounted to both profiling of these individuals and “invisible processing of heath data” which fell short of data protection law.
INTERNATIONAL CO-OPERATION AND ENFORCEMENT
International co-operation and Clearview
The Information Commissioner’s role in driving international co-operation between data protection authorities was demonstrated by the conclusion of the joint investigation of the ICO and the Office of the Australian Information Commissioner into the conduct of the US-based Clearview AI Inc (Clearview). This concluded with a Monetary Penalty Notice of £7,552,800 being issued against the company and an Enforcement Notice requiring Clearview to cease processing and delete all personal data of UK residents. Australian, French, Italian and Greek data protection regulators issuing heavy fines against the company.
Clearview ‘scraped’ images of people from the internet, including UK residents, to create a global online database of over 20 billion images used for facial recognition. Customers of the company, which included at least five UK law enforcement agencies, could provide images to be searched against the database. The Commissioner found that this fell short of UK data protection laws, including concerning biometric data.
Clearview has contested ICO’s decision on the basis that non-US regulators have no jurisdiction over its operations in the US and has reportedly appealed the ICO’s decision. Judicial guidance on the extra territorial application of UK GDPR will bring more certainty in respect of the ICO’s enforcement reach.
CRIMINAL INVESTIGATIONS AND PROCEEDINGS
The ICO continues to criminally prosecute individuals, where it considers it necessary, with respect to unlawfully obtaining personal data contrary to section 55 Data Protection Act 1998 and section 170 Data Protection Act 2018. These cases commonly involve employees in positions of trust accessing and using personal data for their own purposes. In a comment on a recent case, the ICO emphasised that “organisations should remind their staff about their data protection and information governance responsibility”.
Former Health adviser prosecuted for unlawfully sharing data
A former health adviser was found guilty of unlawfully accessing patient records contrary to section 170 Data Protection Act 2018. The former health adviser was ordered to pay a total of £3,000 compensation to the thirteen patients whose data was accessed.
RAC employee prosecuted for sharing data with claims companies
An RAC ‘customer solutions specialist’ was convicted of two counts of ‘data theft’ (section 170 Data Protection Act 2018) after an investigation revealed he had stored data from 272 traffic incidents on telephones and 21 drivers had been contacted by claims companies. He was fined £5,00 and ordered to pay costs.
NHS 111 call centre advisor prosecuted for accessing personal records
Whilst working as a service advisor at an NHS 111 call centre, this individual accessed records relating to a caller who had made a complaint about him, along with the records of the caller’s child and other family members. He was fined £630.
STRATEGIC DIRECTION OF THE ICO
ICO25 – a three-year strategic plan
The ICO published its draft strategic plan, ‘ICO25,’ in July 2022, setting out its priorities for the next three years. After research revealed a relative lack of awareness concerning the work of the ICO, the new Information Commissioner wishes to clearly communicate the direction of travel for the regulator.
ICO25 focuses upon empowering and safeguarding vulnerable individuals through data protection law as well as encouraging responsible innovation and sustainable economic growth. The Annual Action plan annexed to the ICO25 includes:
- Actions for the ICO to further explore the impact of AI driven discrimination, in an effort to strengthen the protection of the most vulnerable users including, children.
- Continued support for SMEs by publishing a range of ‘data essentials’ training and development modules for compliance with data protection law.
- The creation of forums for organisations to discuss and debate compliance questions.
- Commitments to work closely with public bodies and seek to promote transparent decision making and regulatory certainty.
- Further publication of internal data protection and freedom of information training materials and the creation of a linked database.
A renewed focus upon the Freedom of Information Act
The Information Commissioner has committed to a new approach in regulating the Freedom of Information Act 2000 (FOIA) after criticism that this legislation had slipped off the regulatory radar.
The ICO demonstrated its commitment by issuing the first FOIA Enforcement Notice in seven years for failing to respond to information requests within the statutory time limit.
The FOI and Transparency Manual was published July 2022, detailing the ICO’s updated approach to regulating the FOIA. The ICO reaffirmed that its use of statutory powers for non-compliance with FOIA should be reserved for public bodies that demonstrate consistently poor performance in compliance with the law.
The ICO25’s innovation strategy includes prioritisation of complaints received, including whether there is a high public interest in the requested information and if the requestor is raising awareness or supporting vulnerable groups. The ICO estimates around 10 - 15% of cases will be prioritised for resolution.
The ICO has set up a new Upstream Regulation team to assist public bodies to deal with FOI requests after conducting an independent external survey with public bodies last year. Pending results of this research, the ICO has published a suite of products to help public bodies improve their compliance with freedom of information law and respond to information requests without delay.
AND ON THE HORIZON …
Data protection reform imminent?
The second reading of the Data Protection and Digital Information Bill (‘the Bill’), scheduled for 5 September 2022, was delayed to allow Ministers to consider the Bill further. Alongside a shift in emphasis for data protection compliance from ‘box ticking’ to risk assessment, this bill sets out significant changes to the structure and governance of the ICO including additional investigatory powers bringing the ICO in line with other regulators.
It is understood that the Government is currently reconsidering the bill to ensure that all opportunities for innovation and growth are explored within the parameters of its current EU ‘adequacy’ status. It is not known what shape the re-drafted bill will take, or whether further consultation will be undertaken.
Biometric guidance to be published
Whilst supporting innovation, the ICO has expressed caution with respect to the available technology outpacing the necessary legal, governance and accountability structures. Facial and voice recognition technology is swiftly being superceded by new technology to track emotions and behaviours. New guidance on biometric surveillance is expected in the Spring.
Ofcom and the ICO collaborate on online safety
The Online Safety Bill continues to slowly progress through Parliament. Ofcom, the regulator with primary responsibility for enforcement of this new legislation, will be closely supported by the ICO. The safety of children on-line has been a priority for the ICO for a number of years, with the Age Appropriate Design Code setting out good practice for those designing online services for children, including with respect to age verification, transparency and profiling. The two regulators have committed to close collaboration to ensure that their guidance is clear and consistent.