ICO has issued its most recent annual report which looks at ICO’s activities over the last year in terms of its audit and prosecution activities and its flexing of its new powers to issue monetary penalties. Judith Gordon dissects the report to highlight the points of interest to the marketing sector.
Topic: Data Protection
When: July 2011
Law stated as at: 1 August 2011
At the start of July, the Information Commissioner's Office ("ICO") published their Annual Report and Financial Statements for 2010/2011 (the "Report"). Although the Report predominantly illustrates ICO's general performance over the last financial year, there are a few points coming out of the Report which may be of interest to marketers. We have selected a few of the highlights in this article:
Data Protection casework
The Report looks at the areas and reasoning behind the data protection complaints they receive and breaks down the information into categories. Of the top ten areas generating the most complaints (where a sector is specified) 'direct marketing' came in third at 9%, indicating that this is an area that marketers are failing to comply with. 'Lenders' and 'general business' took the top two spots coming in at 13% and 11% respectively, whereas 'internet' took the bottom spot at 3%.
In terms of the reasoning behind complaints, 'subject access' was named as the top grievance for complainants making up 28% of the casework. Other reasons making the top ten (and perhaps with more relevance to marketers) included the making of both automated and live phone calls (each accounting for 9% of complaints and coming in at fourth and fifth places respectively), email marketing (seventh place at 6%) and SMS usage (eighth place at 3%).
Monetary penalty powers
Following the introduction in April 2010 of the power to impose penalties of up to £500,000 for serious breaches of the Data Protection Act 1998 ("DPA"), ICO issued a total of four monetary penalties over the preceding financial year. Though the majority of these cases related to local authorities rather than private companies, the lesson is still clear: flagrant breaches of the DPA will not be tolerated and substantial fines will be issued. By way of example, Hertfordshire County Council was issued a fine of £100,000 after papers concerning a live court case involving detailed allegations of the sexual abuse of a child were faxed to a member of the public in error, with a near identical incident being repeated just two weeks later. Marketers should therefore take care to comply with the DPA and related legislation or risk a heavy response.
Further related to enforcement, ICO brought a total of five prosecutions over the preceding year. Two of these five related to offences for unlawfully obtaining personal data, with both pleading guilty in the Crown Court and related proceedings taking place under the Proceeds of Crime Act 2002. The other three cases were brought in the Magistrates Court on account of the defendants (two estate agents and a private investigator) having failed to notify ICO that they were processing data electronically, despite receiving reminders of their obligations.
The importance of compliance is therefore again reinforced. Particular care should be taken to ensure that notification is accurate and is kept accurate, being updated when necessary throughout the year and between renewals. Warnings from ICO should also be heeded.
The Privacy and Electronic Communications Regulations 2003
The Report makes little reference to the new rules on cookies, which were introduced in May 2011, just after the period for which the Report accounts. Where there is mention however, the Report reinforces ICO's assertion that through implementing this new law, they will seek to help online businesses to comply in a way that "impacts least harmfully on the user's experience". In relation to enforcement, they further confirm that their enforcement powers will be held "in reserve" until May 2012, intervening only where it is apparent that a website owner is not attempting to comply.
The Information Commissioner also held a Q&A session coinciding with the launch of the Report, in which he further emphasised that website operators should be taking their 'consent' obligations seriously, otherwise he'd be "after them". Enforcement would therefore appear to be a very real threat and so marketers should continue to take action towards full compliance over the next nine months.
The Report provides details of the number of ICO audits which took place in 2010/11 and discusses the success rate of these, as reflected in follow-up audits. With the Information Commissioner himself plugging this audit service in his Q&A session as something that he wishes more private operators would take advantage of, this may be an area that ICO seek to build on in the coming year.
This section of the Report is also interesting in that it looks at the areas commonly found under their audits to need improvement. These include:
- awareness amongst employees of internal data protection policies;
- timely, relevant and specific data protection training; and
- security issues in general (including a lack of encryption on portable IT devices, the use of shared passwords and a lack of basic physical security controls, such as lockable storage).
Marketers should therefore consider whether their own businesses are compliant in respect of the above areas.
The Report makes reference to numerous pieces of guidance and good practice guides available via the ICO website and which may prove useful to businesses (and consumers). Marketers should take note of the guides with particular application to their business, such as those relating to the new laws on cookies, the personal information online code of practice and the notification handbook.
Why this matters:
For marketers, the Report serves as a reminder of the key areas under which data protection compliance is required and the ways in which ICO can assist and guide companies as to how they can meet their legal obligations. The Report also demonstrates the range of enforcement tools available to ICO and their willingness to use them. Marketers should therefore ensure compliance through regular assessments of internal practices and procedures and ensure that policies for compliance are disseminated throughout their organisations at all applicable levels.