New laws and high profile investigations have helped put data protection and privacy at the centre of the UK public’s consciousness like never before, the Information Commissioner has said.

As the ICO’s annual report for 2017-18 was published, Elizabeth Denham said her second year in the role had been ‘one of increasing activity and challenging actions, some unexpected, for the office’.

Ms Denham said:

“This is an important time for privacy rights, with a new legal framework and increased public interest.

“Transparency and accountability must be paramount, otherwise it will be impossible to build trust in the way that personal information is obtained, used and shared online.”

As well as extensive work helping the public and organisations of all sizes prepare for the General Data Protection Regulation (GDPR), and providing expert advice to Government during the passage of the Data Protection Act 2018 through Parliament, the ICO also experienced unprecedented demand for its casework on data protection and freedom of information.

Highlights from the 12 months to 31 March 2018 include:

Helping the public

  • A significant increase in data protection complaints (up 15%), self-reported breaches (up 30%) and freedom of information complaints (up 5%). Against this increased demand, we closed more cases than in any other year; 
  • We received a huge increase in telephone, live chat and written queries from the public and organisations, with new telephone services for small organisations and for self-reported breaches. In the final quarter we had 30,000 more calls than in the previous three months;
  • Creating the ‘Your Data Matters’ campaign to inform the public about their rights;

Enforcing the law

  • We issued the largest number and amount of civil monetary penalties in our history. This included 26 penalties totalling £3.28m for breaches of electronic marketing laws relating to nuisance calls and spam text messages, along with 10 enforcement notices and the execution of three search warrants;
  • Eleven fines totalling £1.29million for serious security failures under the Data Protection Act 1998. A further 11 fines to charities totalling £138,000 for unlawfully processing personal data and an £80,000 fine issued to a data broking organisation;
  • A total of 19 criminal prosecutions resulting in 18 convictions - a further six cautions were issued and 11 search warrants were executed;

Advice for organisations

  • Ongoing engagement work with organisations in the public, private and third sectors to promote compliance with the laws on information rights;
  • Undertaking 26 new audits, 24 follow-up audits, 43 information risk reviews and 56 advisory visits with small and medium sized businesses;
  • Continuing to play a leading role in European and global policy and enforcement networks, supporting a new International Strategy;
  • An increased focus on cyber incidents, including a new Technology Strategy and the new ICO Grants Programme to support independent research.

Notes to editors

  1. The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals. It has its head office in Wilmslow, Cheshire, and regional offices in Edinburgh, Cardiff and Belfast.
  2. The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR) and Privacy and Electronic Communications Regulations 2003 (PECR).
  3. The General Data Protection Regulation (GDPR) is a new data protection law which applied in the UK from 25 May 2018. Its provisions are included in the Data Protection Act 2018. The Act also includes measures related to wider data protection reforms in areas not covered by the GDPR, such as law enforcement and security. The UK’s decision to leave the EU will not affect the commencement of the GDPR.
  4. Under past and current law, the ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
  5. Since 25 May 2018, the ICO has the power to impose a civil monetary penalty (CMP) on a data controller of up to £17million (20m Euro) or 4% of global turnover. The maximum under the Data Protection Act 1998 was £500,000. Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by ICO.
  6. Previous ICO annual reports can be read on our website at https://ico.org.uk/about-the-ico/our-information/annual-reports.
  7. To report a concern to the ICO go to ico.org.uk/concerns.