The UK Information Commissioner Office (the ICO) held its annual conference in London on the 2nd of July 2015. In a brief, albeit informative conference the ICO presented its annual report and discussed the data protection issues that are on the top of the ICO’s agenda.
The ICO stated that data protection should not be seen as a ‘hassle, but as a fundamental right’. It was agreed that data protection is an ever changing area and the ICO closely observes case developments in the EU and the UK so that court decisions can be implemented in practice.
In response to the claims from the audience that the ICO only sanctions easy targets such as charities, health organisations etc., the ICO stated that the majority of the penalties this year were issued to private companies and those who failed to implement adequate security measures.
The ICO confirmed that it pays separate attention to the rights of individuals accessing their information and is closely monitoring how companies fulfill consumer requests for the right to be forgotten and subject access enquiries.
The ICO is also looking at enforced subject access requests that are often used in the context of employment. This year such requests became a criminal offence. Section 56 of the UK Data Protection Act 1998 makes it an offence to require an individual to use their subject access rights to provide details of their criminal record in an employment context or as a condition for the provision of services, goods and facilities.
The ICO confirmed that there has been an increase of complaints in relation to the UK Privacy and Electronic Communications Regulations 2003, relating specifically to unsolicited calls. Monitoring and sanctioning nuisance call practice is another of the ICO’s focus areas.
The ICO is also planning to complete development of the privacy seal by Christmas 2015.
When talking about the general data protection Regulation (the Regulation) and the Council of Ministers’ (the Council) draft, the ICO confirmed that the best preparation for the Regulation is to be up to date with current data protection laws.
The ICO stated that it is not in favour of the term ‘unambiguous consent’ which is currently being offered by the Council’s draft version of the Regulation for legitimising data processing. The ICO favours the “express” consent option.
In relation to the current registration obligations, the ICO confirmed that under the Regulation, registrations will not be required; however the ICO is proposing that some form of fee has to remain, since registration fees are currently the key source of funding for the ICO.
The ICO will publish its position on the Council’s text over the next few weeks.
The conference attendees also discussed the UK Freedom of Information Act 2000 (FOI). The ICO confirmed that expectation amongst society is changing. The ICO receives more complaints from individuals and more entities are being caught under FOI.