UK Information Commissioner’s Office (ICO) released its annual report for the year 2020-21 in July. The report documents the operational and financial performance of the office as well as the accountability report. With regard to data privacy complaints, the ICO received 36,607 complaints, lower than last year (38,514). However, it issued fines in only 3 cases.
What is the ICO?
The Information Commissioner’s Office is UK’s independent body that upholds information rights. It reports directly to the Parliament of the United Kingdom and is sponsored by the Department for Digital, Culture, Media, and Sport (DCMS). The office deals with the UK’s data privacy regime including the Data Protection Act 2018 (commonly known as UK GDPR), Freedom of Information Act, 2000, Environmental Information Regulations 20004, etc.
Some statistics from the UK ICO report
Total complaints: The ICO received 36,607 complaints and closed 31,055 of them. The present caseload stands at 12,072. OUt of the total complaints, the finance, insurance, and credit sectors generated the most complaints- 4,847. They were followed by general business (3,943) and online technology and telecoms (3317) sectors.
Personal data breach reports: The ICO received 9,532 personal data breach reports. It investigated 21.6% of the total reports it received. However, it took informal action of recording the breach in 3.9% of the cases and issued the lower-tier fine in a mere 0.1% of them.
Health (16.8%), education and childcare (13.6%), retail and manufacture (10.9%), finance, insurance, and credit (10.5%) were the sectors that reported the most number of breaches. Online technology and telecoms reported 3.8% of the total personal data breaches.
In the entire year, the ICO issued 3 fines, totaling £39.65m. In October 2020, it fined British Airways £20 million for processing a significant amount of personal data without appropriate security measures in place. Further, the organization was unable to detect a cyber-attack for more than two months.
It imposed the second fine on Maritott International Inc. – £18.4 million for failing to keep millions of customers’ personal data secure. A 2014 data breach leaked 339 million guest records worldwide, and the ICO found the company did not put appropriate measures to protect the personal data. Similar to British Airways, Mariott could not detect the attack, but for entire 4 years.
Lastly, the ICO fined Ticketmaster UK Limited £1.25 million for failing to
keep customers’ personal data secure. The company failed to put appropriate
security measures in place to prevent a cyber-attack on a chatbot installed on
its online payment page. The consequent data breach affected 9.4 million customers across Europe, including 1.5 million in the UK. The investigation found that the breach led to fraud involving 60,000 payment cards.
Some Other notable contributions of the ICO
The Age Appropriate Design Code: The code sets out standards that online services must follow around children’s personal data. It focuses on the ‘privacy by design’ approach. All major social media and online services that children in the UK use will need to conform to the code. The code came into effect on 2nd September 2021.
Improvement and Enforcement in Credit Rating: The ICO issued an enforcement Action against credit referencing agency Experian after an investigation into its data broking activities uncovered a serious breach of privacy laws. Following ICO audit recommendations, Equifax and TransUnion also made improvements and withdrew some products and services.
Data Privacy and Police Investigations: An ICO investigation found that the police were extracting and storing excessive amounts of data without an appropriate basis in the data protection law. After an ICO report, the National Police Chief’s Council withdrew digital consent forms, and the government is also considering recommendations of the report.
Action against nuisance calls– The ICO imposed 35 penalties under the Privacy and Electronic Communications Regulations totaling £2.306m.
Criticism of the ICO
Apart from the abovesaid, the ICO is also investigating real-time bidding in the ad tech industry. It is also working with the Competition and Markets Authority with regard to Google’s proposal to phase out third-party cookies.
However, companies like Brave and privacy advocates have accused the ICO of failing to regulate against violations. Brave had first highlighted privacy issues pertaining to real-time bidding in 2018. It said that the ICO failed to investigate and issue an enforcement action against the vast real-time bidding data breach in thirty months since it blew the whistle.
Further, the company’s research suggested that the ICO had dedicated just 3% of its 680 staff to focus on tech privacy issues despite being the largest European data regulator.
In August this year, a cross-party group of 20 opposition MPs said that the ICO has failed in proactive enforcement of UK GDPR. The recent proposals for UK GDPR reforms also aim to restructure the ICO.