Not got time to read the ICO's entire annual report but interested in what the ICO has been doing and key trends? Here are the highlights in nice and easy bullet point form for you:
- Complaints (Lots of Them)!
- Nearly 14,000 data protection complaints received (up 6% on last year and over 1,100 a month).
- In 35% of cases, the regulator found that 'compliance was unlikely' i.e. the law had probably been breached (around the same as last year, so no improvement in the general standard of data protection compliance).
- Just under 6,500 complaints about marketing opt-ins & opt-outs and cookies (down 10% on last year).
- Most of the 6,500 complaints were around telesales, SPAM text and e-mails (in that order) - only 1% complained about fax.
- Fines (Lots of Them)!
- Imposed fines of over £2.5m on 23 data controllers (more than double the number of organisations fined in the previous year).
- All but one of the ICO's fines related to security breaches and over two thirds were issued to organisations in the health and local government sectors (the figures are skewed as these guys have to notify breaches and the private sector generally isn't obliged to, yet!).
- NHS bodies fined over £1m (if you think about the fines proposed under the new Regulations and the ICO's mandatory obligation to fine for every breach, ongoing security breaches could become crippling for NHS Trusts and other NHS bodies).
- Audits (Lots of Them)!
- 58 audits of data controllers (up by over 35% - the ICO doesn't currently have rights of audit for most sectors but this will change under the proposed new Regulations).
- SPAM (Lots of It)!
- Focussed on spam/nuisance calls and made it easy for people to report it (over 150,000 'tip-offs').
- Codes and Consultations
- Debunking the myth that data protection prevents disclosure of data (focussing on its data-sharing code of practice which promotes responsible data-sharing - a theme which is key to the cultural transformation within the NHS & revised Caldicott Principles).
- Lobbying and influencing the shape of the proposed new General Data Protection Regulation (yes, its not just you that doesn't like it - the Regulator doesn't like it either & thinks its far too prescriptive and will detrimentally affect the regulator's work and impact).
- Rolled-out its anonymisation code of practice & 'cloud' code of practice.
- Consulted on its subject access request code of practice (due to be rolled-out this summer).
The general theme is that privacy is more relevant than ever and that the regulator is having an impact in some areas and has identified areas where further work is needed.
The regulator's own view is that 2013 will be the year that the commercial imperative of good data handling will be achieved - I'm not sure if it will be achieved this year, but our experience does bear out the fact that organisations are taking data protection compliance more seriously than ever before and are committing to the principle of 'privacy by design' (the simple commercial fact being that its cheaper and easier (albeit not 'easy' or 'cheap') to factor in privacy at the outset than to try and retrofit it (which is definitely not 'cheap' or 'easy')!This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.