How many UK companies have “Notified” the Information Commission that they are processing personal data? How many prosecutions were brought in 2002/3 against alleged data protection miscreants? What does the Information Commissioner earn?
Topic: Data Protection
Who: The Information Commissioner
Where: Wilmslow, Cheshire
When: July 2003
What happened:
The UK's data protection watchdog, the Information Commissioner, released its annual report and accounts for the year ending 31st March 2003.
On the financial side, the report reveals a healthy jump in fee income from notification fees (all those in the UK who process personal data must 'notify' with the Information Commission and pay an annual £35 fee) from £6.2 million to £7.5 million. The salary for the new Information Commissioner, Richard Thomas, is revealed as something in the region of £100,000, whilst the average number of people employed at the IC rose from 161 in the previous year to 198, with aggregate payroll costs rising from £2.9 million to £3.8 million.
Continuing in a number crunching vein, the Information Commissioner's telephone help line dealt with nearly 60,000 enquiries during the year under review, and the IC as a whole handled some 12,000 requests from members of the public to assess whether the Data Protection Act had been complied with in particular cases. The total number of notifications on the register grew from 198,509 to 211,251, a reasonably healthy increase but still, marketinglaw suspects from its own experience, a substantial way short of the number of notifications that should strictly be on the register if all those entities processing personal data in the UK comply with the law.
Away from the numbers, two particular initiatives mentioned in the Report include a move to set up and manage regional offices to be established in Scotland, Wales and Northern Ireland, with an Assistant Commissioner in each one, and a launch of a project to identify the scope for simplifying data protection compliance without damaging its effectiveness. On the enforcement front, the Commissioner wants to explore in particular what might be put in place swiftly through secondary legislation, or changes of enforcement policy, so as to improve policing and compliance.
From a marketer's point of view there is nothing spectacular in the Report. Throughout the document, there are helpful real life 'case studies' of enforcement histories. However, not a single one of them deals with a marketing-related scenario.
Fax marketers get a particular mention, with a large number of complaints having been received, although the report indicates that encouragingly over the last few months, there has been a marked decrease in the number of complaints in this area.
It is also mildly encouraging that contrary to reports from some recent website compliance surveys, the Commission's own survey in April 2003 of 99 travel-related websites, focussing on their compliance with the first data protection principle of fair obtaining of personal data, indicated no deep-seated or widespread problem of non-compliance with the Act.
On the enforcement front, the report indicates a steady increase in enforcement activity with 91 prosecutions brought before the courts in the year under report, compared with 66 in the previous year and 23 in 2000/01. Out of the 91, 80 cases secured convictions, with the fines mostly ranging between £50 and £250 and the highest fine of the year prize going to London Borough of Islington at £3,000 and an order to pay £2,350 costs.
None of these cases appears to be marketing-related, although most of the convictions dealt with either illegally obtaining personal data or selling it.
In the area of digital marketing, the report notes the number of complaints about unsolicited emails starting to be received. It refers to the up and coming implementation of the Privacy and Electronic Communications Directive, but issues a caution that in the light of the fact that much of spam initiates from outside the EU, giving rise to obvious investigative and jurisdictional difficulties, it is not a panacea. The Commission indicates that it intends to explore the possibility of 'identifying sources of authoritative and regularly updated advice for internet users on the practical steps they can take to minimise the chances of receiving unsolicited emails."
A final highlight from a marketinglaw point of view is a useful Appendix summarising recent developments in data protection jurisprudence. This reports and comments on a total of 10 cases reported during the last year or so. These include a reference to the Islington Borough Council case, where the record fine of the year of £3,000 was levied. This related to a failure on the part of the Council to renew its data protection registration. The case established that a body such as the Council, or in other cases a limited company, could be guilty of recklessness in terms of the offence of 'knowingly or recklessly using personal data for purposes not contained in registered entries' under the 1984 Data Protection Act. Although the 1998 Data Protection Act has now taken its place, the Commissioner believes that this case provides useful authority in relation to issues of corporate responsibility, establishing an important principle that the knowledge and actions of the directing minds of the corporate body must be taken together with the actions of those to whom administrative functions are delegated in order to determine criminal responsibility for the actions of a corporate body. In the Islington case, this meant that their case was sunk once the prosecution had established that senior employers at the level of director and/or assistant director of finance were well aware of the Council's duties under the 1984 Act and were responsible for ensuring compliance with the Act. This was sufficient to fix them with the relevant knowledge for the offence to have been committed, and the fact that a lower Council Official had left the Council by the time the registration expired was in the Court's view irrelevant.
Other cases reported and commented on include the high profile Naomi Campbell/Mirror Group Newspaper case of 2002. Apart from anything else, the verdict of the Court in this case put beyond doubt that publishing information about an individual in a newspaper was within the very wide definition of 'processing' of personal data in the 1998 Act. The Hello!/Douglas/Zeta-Jones case is also mentioned and in the area of privacy rights, the Commissioner takes the view that the courts are 'still slowly and carefully moving towards establishing a common law concept of privacy within, alongside or, possibly outside the realms of the law of confidence'.
Why this matters:
The Report provides an excellent insight into the workings of this increasingly important body, at a time of transition with the only recent arrival of Richard Thornton as the new Commissioner. It is well worth a read for the case law Appendix alone.