The ICO’s Deputy Commissioner will be reminding organisations to be transparent with people’s personal data after a survey revealed a significant deficit of trust that organisations must address if they want to innovate with personal information.

The ICO research found that only one fifth of the UK public (20%) have trust and confidence in companies and organisations storing their personal information.

Steve Wood, Deputy Commissioner said:

“As personal information becomes the currency by which society does business, organisations need to start making people’s data protection rights a priority. Putting data protection at the centre of digital businesses strategies is the key to improving trust and digital growth. ”

He added:

“Changes to data protection legislation, which include the introduction of the GDPR, offer organisations an opportunity to re-engage with their customers about data. The new laws require organisations to be more accountable for data protection and this is a real commitment to putting the consumer at the heart of business.”

Mr Wood delivered a speech about the importance of building consumer trust and confidence at Ctrl Shift's Personal Information Economy conference in London.

Other statistics from the ICO survey show British adults are broadly unfamiliar with the specifics of how their personal data is being used by companies and organisations in the UK, with only one in ten (10%) saying they have a good understanding of how their personal data is used.

The survey was conducted by ComRes on behalf of the ICO and is designed as benchmark measurement for the ICO’s Information Rights Strategic Plan 2017-2021. One of the ICO’s main strategic goals over the next four years is to increase the UK public’s trust and confidence in how data is used and made available.

Other key findings from the survey include:

  • UK citizens are more likely to trust public bodies than private companies or organisations regarding holding or sharing their personal information.
  • Three in five (61%) say they have trust and confidence in the NHS or local GP to store and use their personal information while half say the same of the police (53%) or national government departments and organisations (49%).
  • One in ten UK adults (12%) say they have trust and confidence in social messaging platforms storing and using their personal information.
  • Less than one in ten (8%) of UK adults say they have a good understanding of how their personal data is made available to third parties and the public by companies and organisations in the UK.
  • Older UK adults are more likely than their younger counterparts to say they have little trust and confidence in companies and organisations storing and using their personal information.

Mr Wood added:

“By now organisations should be aware of the changes to data protection law next May. It’s no longer acceptable to see the law as a box ticking exercise. Organisations will need to be accountable, to their customers and to the regulator.

“We want to see improvements in these figures. It’s time for organisations to start building the UK public’s trust and confidence in how data is used and made available.”

Notes for Editors

  1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
  3. The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit. The ICO has the power to impose a monetary penalty on a data controller of up to £500,000.
  4. The European Union’s General Data Protection Regulation (GDPR) is a new law which will apply in the UK from 25 May 2018. The Government has confirmed the UK’s decision to leave the EU will not affect the commencement of the GDPR. The Government is introducing measures related to this and wider data protection reforms in a Data Protection Bill.
  5. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
    • fairly and lawfully processed;
    • processed for limited purposes;
    • adequate, relevant and not excessive; 
    • accurate and up to date;
    • not kept for longer than is necessary;
    • processed in line with your rights; 
    • secure; and 
    • not transferred to other countries without adequate protection.
  6. Civil Monetary Penalties (CMPs) are subject to a right of appeal to the (First-tier Tribunal) General Regulatory Chamber against the imposition of the monetary penalty and/or the amount of the penalty specified in the monetary penalty notice. 
  7. Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by the Information Commissioner’s Office (ICO).
  8. To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.
  9. ComRes interviewed 2,153 UK adults online between 12th and 27th July 2017. Data were weighted by age, gender, region and socio-economic grade to be representative of the UK population as a whole. Full data tables can be found at www.comresglobal.com.