Out-Law News 2 min. read
15 Jul 2014, 3:35 pm
In its annual report for 2013/14 (84-page / 1.05MB PDF), the Information Commissioner's Office (ICO) said that it received 14,738 data protection complaints in the past year to add to the 13,760 it had received in 2012/13. It said it resolved 15,492 data protection complaints in the last 12 months, up from 14,280 cases resolved during 2012/13.
Half of all the data protection complaints received in the past year were related to the alleged mishandling of subject access requests. Of all the complaints the ICO received, 17% were directed at lenders, 12% at local government agencies and 10% at health bodies.
The ICO launched an investigation into a record 1,755 data protection cases in 2013/14 and served fines totalling £1.97 million on some of the organisations it deemed to be in serious breach of the Data Protection Act.
The ICO also reported a 10% increase in the complaints it received about the alleged mishandling of freedom of information (FOI) requests by public bodies, with 5,151 such complaints received in 2013/14. It said it resolved 5,296 FOI complaints during the period.
More than 160,000 concerns were raised about organisations' compliance with the UK's Privacy and Electronic Communications Regulations (PECR), the ICO said. PECR sets rules on a number of different issues, including direct marketing activities and the setting of 'cookies' on internet users' web browsers. The rules also prohibit so-called nuisance calls and other spam marketing activities.
The watchdog also said that it "received and followed up" on more than 260 reports it received from communication service providers about personal data security breaches those companies had encountered.
In accordance with EU rules that apply to public electronic communication service providers and which came into force last year, the service providers are generally obliged to inform a national regulator – the ICO in the UK – within 24 hours of detecting that they have experienced a personal data breach. The companies have to supply the regulators with a range of information about the breach, including the estimated date and time of the incident, the nature and content of the personal data concerned and how many individuals are affected. In certain cases, the companies must also notify individuals affected by a personal data breach.
Those notifications must be made "without undue delay" in cases where the breach is "likely to adversely affect the personal data or privacy" of those individuals. This is unless they can show regulators to their satisfaction that the use of "technological protection measures" has rendered the breached data "unintelligible to any person who is not authorised to access it".
However, the report also identified a number of concerns over future funding for the ICO. Information Commissioner Christopher Graham said the body can only protect the public's information rights if it has sufficient powers and resources to do so.
"People need to know someone is watching over their information," Graham said. "That needs to be someone who’s independent, of government and business, so the public know the regulator can be trusted."
"Independence means someone who’s got the resources to take on this ever-growing number of cases. The last twelve months have been a record year – more complaints resolved than ever, more enforcement action taken and more advice given through our helpline. And it also means having the powers to act on the more serious complaints. A strong regulator is needed if a data breach affects millions of people. That someone is the Information Commissioner. We’re effective, efficient and busier than ever. But to do our job properly, to represent people properly, we need stronger powers, more sustainable funding and a clearer guarantee of independence," he said.