Looking at the ICO sanctions over the past year, shows us that there has only been 56 Monetary Penalties, Enforcement Notices and Prosecutions. This is down from 77 on the previous year. The ICO was more active in decision notices with 1314 notices this past year mostly on Public Departments and Councils.
The UK regulators are not afraid to tackle difficult issues. For example, they fined the UK Government Cabinet Office a whopping £500,000 for failing to put in sufficient measures to prevent a data breach of the New Year’s honours list. Personal Data was displayed on a government website which brough the complaint and regulatory action. It also upheld two separate decision notices against the Cabinet for failures arising from the Freedom of Information Act (FOI). Bizarrely the Information Commissioner also upheld a complaint against its own organisation, the ICO, for failing to respond to a FOI request.
Possible bias
Behind the scenes volumes of casework is not revealed however analysis of the workload in terms of decision notices seems biased against Public Sector Bodies, Health Trusts and Councils with more than 768 complaints upheld against them from 1314 cases. This bias seems unfair. FOI requests are resource intensive, and they take a lot of staff time to complete and detract from other tasks. This particularly frustrating if you work in Health Care where patient work may suffer because key staff being seconded to reply and opine on FOI’s. The deadline compounds the issue which is 20 days and not a month like a data subject right request.
Looking at the ICO overall Audit and Monitoring activity, again it seemed very skewed in favour of public bodies and very little commercial organisations were present in their list.
Charities
The ICO has never been afraid to fine charities. The transgender charity Mermaids was fined £25,000 for failing to keep personal data secure. In the past it has fined Battersea dogs home, Cancer Research and the Society for the Prevention of Cruelty Towards Children. Tough love indeed!
PECR
The highest category of penalties and prosecutions arose in unsolicited marketing (29%) which is a consistently high category year on year. For example, “We Buy Any Car ltd” was fined £200,000 for not satisfying the lawful basis of Soft-opt in. Saga was fined £150 ,000 for sending nuisance text messages and Sports Direct fined £70,000 for sending nuisance emails. Two people received suspended sentences for selling unlawfully obtained personal data on accidents.
What was a surprise was the number of nuisance complaints received under PECR relating to SMS, Telephone Calls, Automated Calls etc. There were 83,558 for the first six months of the year. Annualised that about 160,000 a year which will all require investigative work.
Missing in Action
The ICO sanctions notably did not take much notice of Adtech, Cookie Data offences, Data Subject Rights Requests, Artificial Intelligence, Mass Surveillance, Big Data or Fair Processing on Privacy Notices issues.
Summary
In summary their activity this past year appears light touch on sanctions for commercial organisations and heavy on FOI requests and Audits for Public Bodies and Councils. With that in mind it seems strange that this year has prompted a consultation by the Secretary of State for Digital, Culture, Media, and Sport to dumb down the UK GDPR. It will be interesting to see which way the new incoming Captain John Edwards steers the ship.
コメント