UK & Europe
On 7 July 2020, the Information Commissioner's Office (ICO) published its fourth annual report for 2019/2020 (Report) (which can be accessed here).
The 2019/2020 report (i) reviews work carried out by the ICO in 2019/2020 including its key achievements and some of its most impactful work (Performance report), (ii) provides an account of its corporate governance, accountability and audit reporting (Accountability report), and (iii) contains information regarding the ICO's financial performance (Financial statements).
This article considers some of the key points arising from the ICO's latest annual report in what has been another busy year for the UK's data protection authority. We highlight some of the data protection and compliance issues that have been the subject of the ICO's focus to help organisations and others understand the ever evolving data protection landscape.
Frontline Advice Services
According to the Report, the ICO has seen a large increase in the level of contact received from members of the public since the implementation of the GDPR. Data protection complaints and reports of personal data breaches from the public have likewise risen substantially. Accordingly, demand for the ICO's frontline advice services has continued to increase and, as a result, the ICO now employs over 250 people to assist customers through its complaints handlings services.
Brexit – The European Data Protection Board (EDPB) & ICO's new guidance
Up until the UK's departure from the European Union in January 2020, the ICO had been a full member of the EDPB. In this role, the ICO has played an active role in supporting the implementation of the GDPR, guiding issues on new technologies and effecting the 'one-stop-shop' system of enforcement investigations and applications by multi-nationals for intra-group transfers of personal data. However, the ICO's membership of the EDPB has now ended but according to the Report, the ICO's role in the 'one-stop-shop' system will continue until the end of the transition period,. The ICO has further indicated on its website that participation by the UK in the 'one-stop-shop' at the end of the transition period is being discussed between the UK and the EU. In the meantime, this will inevitably place a greater onus on the ICO to maintain strong relationships with other European data protection authorities to ensure that the UK remains protected after its exit from the EU.
As a result of the UK's departure from the EU, the Report notes that the ICO has been developing new guidance in the event that the UK leaves the EU with no deal in place relating to Special Category Data (Articles 9 and 10), the Immigration Exemption, and on Special Category Data and Part III Processing. The ICO has also created detailed guidance, with the Alan Turing Institute, on how to provide explanations of decisions made with AI, which was published in May 2020.
In addition, the ICO updated guidance on a wide range of areas, including Your Credit Explained, Right of Access, Right to Erasure, Right to Object, as well as on the Freedom of Information Act 2000 and the Environmental Information Regulations 2004.
One of the key roles of the ICO is to take regulatory action in response to breaches of the legislation that it regulates. In 2019/2020, the ICO conducted over 2,100 investigations which led to regulatory action in 236 cases. This action was wide ranging and included the issuance of 54 Information Notices, 8 assessment notices and 7 Enforcement notices, along with 4 cautions, 8 prosecutions and 15 fines.
The cases that resulted in cautions and prosecutions arose under section 55 of the Data Protection Act 1998 and section 170 of the Data Protection Act 2018 both of which relate to the offence of unlawfully obtaining, or disclosing, personal data without the consent of the data controller, and additionally under section 77 of the Freedom of Information Act 2000 which concerns the offence of altering records with intent to prevent disclosure. The latter was the first successful prosecution of its kind. The case involved a town clerk of Whitchurch Town Council who had deleted an audio file following a Freedom of Information request by an individual who asked for a copy of the audio recording of a council meeting. The town clerk pleaded guilty to blocking records with the intention of preventing disclosure and was fined £400, ordered to pay costs of £1,493 and a victim surcharge £40. The Report notes that this case emphasised the critical importance of transparency for public authorities in the way they carry out their business.
The Report further notes that in 75% of the cases which the ICO are involved in, the defendants submitted guilty pleas which meant the ICO was able to avoid the need for protracted trials and the resulting costs.
Two of the most significant cases handled by the ICO this year were the major data breaches at British Airways and Marriott, which attracted substantial media attention in July 2019. Given that the regulatory process is ongoing in these cases, the Report does not delve into detail regarding the enforcement action that it has taken. The other key regulatory development saw the settlement of a case with Facebook, which had been brought under the Data Protection Act 1998.
Data Protection Complaints
Tied closely to the public's growing awareness of their information rights and the implications of the GDPR is a continued level of engagement with the regulator. The ICO reports that it received 38,514 data protection complaints during 2019/2020, only slightly lower than the figure of 41,661 from last year. By focusing on key areas to streamline its service, the ICO has nevertheless managed to resolve a record 39,860 cases, thereby slightly reducing its overall caseload.
On the part of data controllers, there is still much to be done. The ICO's report says that in half of the cases that it reviewed in 2019, it concluded there was more that could have been done by the data controller to either improve their information rights practices or to explain how they are complying with the law.
Personal Data Breaches
As with data protection complaints, 2019/2020 also saw a small reduction in the volume of personal data breaches reported to the ICO; 11,854 compared to 13,840 for the previous year. In 95% of cases the ICO's investigations resulted in no action against the data controller.
It is worth noting that the health sector generated the largest proportion of the total number of personal data breach reports in 2019/20 (19.66%), overtaking 'general business' (17.16%) which had been responsible for the most reports in 2018/19. The education and finance sectors also remained high on the list, contributing 14.11% and 9.99%, respectively.
The increased demand for the ICO's services has been reflected in the increase in the level of contact experienced by its Frontline Advice Services. This support not only promotes good data practices but supports the UK's digital economy.
With the UK leaving the EU, the ICO makes it is clear from its Report that it is committed to ensuring that the personal data of UK citizens flowing across borders is effectively regulated through the connected network of other EU regulators. It has also reviewed and updated guidance in different areas in the event of a no deal outcome.
While the number of data protection complaints and personal data breaches reported have fallen slightly in 2019/2020 when compared to the previous year, it is worth noting that the sectors generating the most complaints and generating the most data breach notifications are largely similar in that both general business and the health sector feature high on both lists.