ICO’s 2008/9 Report initially got lost in a flurry of juicier stories about the new Information Commissioner, behavioural advertising and data security breaches. However, it offers key insights into the complaints ICO receives, what makes data subjects tick and the risks non-compliant marketing can run. Phil Lee reports.
Topic: Privacy
Who: Information Commissioner's Office
When: 2009
Where: UK
Law stated as at: 28 September 2009
What happened:
The Information Commissioner's Office published its annual report for 2008/2009 in June this year (summary available online here). The report flew somewhat under the radar on its publication coming as it did at a time when there was a flurry of press stories focussing on the changeover at the Information Commissioner's Office (with long-serving Richard Thomas handing over the mantle of Information Commissioner to Christopher Graham, former director general of the Advertising Standards Authority).
However, this should not be taken to indicate that the report does not make for an interesting read. To the contrary, it offers a fascinating insight into the nature and volume of data subject concerns voiced to ICO over the past year, as well as ICO's ability to respond to these concerns effectively. Particular data protection highlights include the following:
Data protection complaints continue to grow but can ICO keep up?
The report reveals that the number of data protection complaints received by ICO continues to grow year-on-year (from 22,059 complaints received in 2005/2006 to 25,509 complaints in 2008/2009).
This increase is undoubtedly due to the number of high profile data protection breaches over the past couple of years and also ICO's laudable efforts to educate the public about their data protection rights. However, in doing so, ICO has arguably made a rod for its own back – despite the increase in complaints, ICO actually closed fewer complaints this year than in the previous year (having closed 23,406 complaints in 2008/2009 as compared with 25,592 in 2007/2008 – although, to be fair, ICO also had to manage a greater volume of freedom of information cases this year). In addition, it is interesting to note that ICO is also missing its target service levels for resolving complaints, having closed just 30% of complaints within 30 days (despite an aspirational service level of 45% within this timescale).
ICO has justifiably argued for some time now that it is under-funded and under-resourced. However, with ICO shortly introducing a new two-tier notification fee from 1 October (which will see larger data controllers pay £500 per annum instead of the current £35 fee) it will hope to resolve some of these funding and resourcing issues. What will be interesting to see is whether this funding adequate empowers ICO to manage a growing data protection caseload over the next few years or whether it serves simply to stem the current tide of data protection complaints, requiring ICO to seek further funding in the not-too-distant future.
Non-compliant marketing causes complaints:
In its report, ICO published a list of the top 10 business sectors attracting data subject complaints, with "lenders" and "direct marketing" coming in first and second position (accounting for 16% and 14% of complaints respectively).
Interestingly, these sectors generate almost double the number of complaints received by ICO than any other sector (the rather vague "general business", which comes in third position, generated just 8% of complaints).
In a separate list, ICO details the top 10 reasons that data subjects complain with live and automated phones calls, e-mails and SMS collectively accounting for 27% of complaints in aggregate.
The important point to take away from this is that these lists represent just the complaints that are actually notified to ICO. The actual number of complaints generated by non-compliant marketing or data protection practices is likely to be much higher than ICO's report alone would suggest. It is a fact of life that many disgruntled data subjects choose simply to switch brands without raising their complaints or to complain only to their friends and families – meaning that businesses that conduct non-compliant marketing are at real risk of losing both actual and potential customers.
Prosecutions remain low but PR risk is still significant
Over the 2008/2009 period, ICO pursued just 14 prosecutions, albeit with a 100% conviction rate. Of those, 12 prosecutions were for the somewhat technical s.17 offence of failing to notify processing activities to ICO (the remaining 2 being for the s.55 offence of unlawful obtaining of personal data) and the largest sentence handed down for a data protection breach was a paltry £500. A mere 9 enforcement notices were served (no change as against 2007/2008), with only 2 of these relating to unsolicited marketing.
Marketers should not be fooled by these statistics into thinking that this means that failure to comply with data protection law is low risk. ICO is, of course, due to get new powers to impose unlimited fines on non-compliant data controllers which promise to alter the UK enforcement regime radically. However, still by far the greater risk to business is the potential brand damage and loss of customer trust that non-compliant data protection and marketing practices can cause. Marketers that ignore this risk do so at their own peril.
Why this matters:
The annual report offers a fascinating insight into ICO's ability to pursue and enforce data protection breaches. It has long complained that it is inadequately resourced and hampered by ineffective legislation that prevents it from adequately fulfilling its enforcement responsibilities, and the annual report would seem to bear this out.
ICO has been promised powers to issue potentially unlimited fines through a "monetary penalty notice" scheme introduced under the Criminal Justice and Immigration Act 2008, but is still waiting for implementing regulations to bring these powers into effect. If the annual report is anything to go by, this is sorely needed – and even new Information Commissioner Christopher Graham has recently described his current data protection enforcement powers as "pathetic".
However, as noted above, marketers should be aware that the enforcement landscape is changing in the UK and it is simply a question of when, rather than if, ICO's will take a more active policing role. The annual report shows that unsolicited direct marketing is one of the major causes of complaint and so, when ICO finally gears up its enforcement activities, non-compliant marketers can expect to put under real scrutiny (particularly bearing in mind Christopher Graham's previous role as director general at the Advertising Standards Authority). Marketers should review their privacy notices, policies and practices to ensure they are properly future-proofed against this regulatory risk.