On Thursday 20th June on behalf of the Society I attended the launch of the ICO's 2012/2013 Annual Report at Westminster Hall.
The Report was delivered by the Information Commissioner, Christopher Graham, supported in part by Simon Entwisle (Director of Operations), who covered a review of the year’s case load. The delivery of the report was then followed by questions to the panel made up of the senior officers of the ICO, with Christopher and Simon being joined by Daniel Benjamin, David smith and Graham Smith.
The overall theme was that the ICO was: “Holding our course, while handling more business, responding to new challenges and coping with fewer resources”, with the Office remaining independent, authoritative and forward-looking.
The Report was delivered around the structure of seven “E’s”, namely:
There was also comment on requirements and challenges for the Future.
The Civil Enforcement Team looked at more than 1,300 cases (45% up on last year) and imposed 23 civil monetary penalties for serious mistakes, totalling £2.6m.
Additionally about 155,000 concerns about spam text and nuisance calls were registered on the web site; this year the ICO imposed the first civil monetary penalty under the Privacy in Electronic Communications Regulations (PECR) directive of £440,000 and the first civil monetary penalty for cold calling of £90,000.
The focus during the year was on four main areas:
- Cookie compliance on web sites
- The publication or update of 51 pieces of FOI advice
- Publication of the 'Anonymisation code of Practice'
- The Data Protection conference in Manchester in March 2013
Awareness-raising seems to be working! According to research, 86% of individuals are aware of their rights under the Freedom of Information Act, whilst 87% know of their Data Protection act rights to access personal information.
The ICO has been working to embed information rights into the national curriculum, with pilots running in a number of schools.
On another big topic, they assisted 372 individuals to challenge their inclusion within the construction industry blacklist.
The message was that data protection is not just about saying “No” – you can ay “Yes” if you do it properly and safely. This was illustrated by the publication of the ‘Data Sharing Code of Practice’.
During the year the ICO conducted 58 consensual audits of Data Controllers (up 38% on last year), plus 78 advisory visits (up 30%). They have also introduced audit outcome reports on common themes of good practice.
The ICO is proactively engaging with current developments in the filed of technology, policy, businss etc. To this end it is involved in:
- Post-legislative scrutiny of the Freedom of Information Act
- Open Data and transparency agenda
- The Leveson Inquiry
- The proposed revision of the EU Data Protection regime
This covered a review of the ICO’s effectiveness in dealing with the ever increasing demand for services.
There was a 3.7% increase in calls, requiring the ICO to increase their output by 3.2% to handle. An independent customer survey showed over 90% satisfaction.
The ICO re-used information to improve the FAQs on their website, which have developed considerably during the year.
Data Protection complaint casework increased by 6.3% during the year, requiring a corresponding increase in output by 10.3% to enable case closure. Most complaints were about the way the biggest data handlers in the country responded to requests for information. About 35% of complaints were upheld.
For FOI and the Environmental Information Regulations there was a 1.7% increase in casework. There was a 1.3% drop in output owing to a reduction in the ICO’s resources; however, the volume of casework remains level and has not fallen behind. The ICO issued 1,100 decision notices in the year. These were mostly related to central government, local government (who saw a slight increase) and the health service (who saw a slight decrease). 44% of cases were upheld on appeal in whole or in part; this was down from 50% last year.
An online reporting mechanism was introduced fro PECR. 50% of complaints related to recorded voice calls, 25% to telesales speaking with a person and 25% related to spam texts. The ICO’s approach is to contact organisations looking for about their compliance with the law and, if there is no improvement, looking at civil monetary fines.
During the year 685 concerns relating to cookies were reported.
With regards their own operations, the ICO received a record number of information requests (Data Protection and FOI), up 5% on last year. They responded to 98% within the statutory timescales.
The income of the ICO consisted of:
Data Protection: £16,055,000 from 372,369 data controller registrations
FOI: £4.25m grant-in-aid FOI income, although this is being cut
To address their reduction in income, the ICO is taking the following actions:
- IT re-procurement (moving from Capita to Northgate)
- Agile notification (e.g. taking credit card payments)
- Home working
- A greener ICO (e.g. no hard copy annual reports this year!)
- Improved knowledge management (e.g. more joined up between Data Protection and FOI teams)
The ICO has the following matters on its horizon:
- The new Data Protection regime from 2016
- New obligations for Data Protection authorities
- The European Data Protection Board
- An end to notification obligation
- A new method of funding the ICO
- The squeeze on FOI grant-in-aid
- Open Data and Big Data
- The challenge of international global enforcement co-ordination
Therefore, the ICO is getting ready for change, understanding that there are new responsibilities, new ways of doing things and achieving better for less. It is consulting with both staff and stakeholders over the next 12 months to feed into the ICO’s 2014-17 Corporate Plan.
A number of questions were raised from the floor and addressed by the panel relating to:
- Current news events relating to the Care Quality Commission
- Current news events relating to PRISM / NSA (although breaches of RIPA are not under the ICO)
- The letter to Google sent by the Article 29 working party raising the risks relating to Glass
- The need for greater European consistency without too much over-engineered process (the ICO wants a focus on risk and proportionality)
- Balancing Open Data with the need to be careful, particularly with regards health data
- The need for proper section 55 penalties (with the ICO pressing for this as part of consultation on the Leveson recommendations)
- The work being undertaken relating to the construction industry blacklist whereby the ICO is working with the DWP, trade unions and Equifax on data matching to contact those on the list where possible
- The desire to have the power for non-consensual audits of local government and the health service
- The need to develop clear online privacy policies written for consumers not lawyers
The full report is available at http://www.ico.org.uk/news/latest_news/2013/~/media/documents/library/Corporate/Research_and_reports/ico-annual-report-201213.ashx
Special Projects Officer
The Information and Records Management Society