The Information Commissioner’s Annual Report was recently published which shows data protection regulatory activity in the UK for 2015/2016. This report is the last presented by the outgoing Information Commissioner, Christopher Graham. It is a lengthy report but amongst the matters discussed are:-
- Whilst the GDPR will abolish the data protection registration regime it is still an area of focus. The ICO has been doing an exercise looking at sectors which were under represented in terms of data protection registrations. They have been reaching out to organisations that they thought ought to be registered and also following up lapsed registrations (the data protection registration is renewable every year). These initiatives led to between 2750 and 3000 additional registrations. In addition there were eight prosecutions for failure to register. You can find out more details about the privacy registration process here – http://www.corderycompliance.com/solutions/privacy-registration-and-renewal/;
- People seeking to exercise the Right to be Forgotten are still contacting the ICO. More than 370 people asked the ICO to intervene in the last year. Approximately one third of these related to criminal convictions. In a third of cases the ICO required a search engine to remove results. The ICO said that they had not required removal where a search result related to recent or serious convictions. You can find out more about the Right to be Forgotten here – http://www.corderycompliance.com/first-ico-right-to-be-forgotten-order-against-google/;
- Subject Access Requests continue to make up the highest number of complaints to the ICO but with a slight drop from 46% of all complaints in 2014/15 to 42% in 2015/2016. We are seeing a considerable rise in the number of Subject Access Requests our clients are facing. According to figures released by the ICO in June, 13% of people in the UK have now made a Subject Access Request. We are likely to see this increase in the number of Subject Access Requests continue with the removal of the fee in the GDPR. There is more on Subject Access Requests here: http://www.corderycompliance.com/subject-access-requests-and-investigations/. The next most popular complaints are disclosure of data (18%) inaccurate data (12%) and security (9%);
- The health sector continues to be the sector which self-reports the most incidents with 46% of self-reported incidents coming from the health sector and 10% from local government. Interestingly 4% of self-reports in the last year were from solicitors and barristers. Of the self-reports made to the ICO the loss or theft of paperwork is the most frequent reason (18%) followed by data posted or faxed to the incorrect recipient (17%) data sent by email to an incorrect recipient (12%) and an insecure webpage, including hacking (8%); and,
- The ICO’s report confirms that the lease on their Wilmslow premises expires on 1 January 2017. There have been rumours of a move from Wilmslow – this is likely to be a decision for the new Information Commissioner, Elizabeth Denham, when she starts this month. There is a brief alert on Elizabeth Denham’s background here – http://www.corderycompliance.com/changes-at-the-top-for-the-uk-data-protection-regulator/.
For more information please contact Jonathan Armstrong who is a lawyer with Cordery in London where his focus is on compliance issues.
Office: +44 (0)207 075 1784
(Photo of Wycliffe House courtesy of the ICO)