The Information Commissioner’s Office (ICO) has published its annual report for 2019-20, covering what the Information Commissioner has called a “transformative period” for privacy and data protection and broader information rights.
Information Commissioner Elizabeth Denham said:
“We have seen a transformative period in our digital history, with privacy established as a mainstream concern, and with complex societal conversations increasingly asking data protection questions.
“This report shows the ICO has been at the centre of those discussions, from how facial recognition technology is used to how we protect children online.”
Highlights from the report, which covers the 12 months to 31 March 2020, include:
Supporting and protecting the public and organisations
The Age Appropriate Design Code, introduced by the Data Protection Act 2018, was published in January. When it comes into full effect, it will help steer businesses to comply with current information rights legislation.
We intervened in the High Court case on the use of facial recognition technology by the South Wales Police as part of our work to ensure that the use of this technology does not infringe people’s rights. As a response to the judgement, we issued the first Commissioner’s Opinion.
Guidance for businesses and organisations on data protection and Brexit implementation was published to help them comply with the law once the UK leaves the EU.
Our new freedom of information strategy was launched which sets out how we work to create a culture of openness in public authorities. It also commits us to making the case for reform of the access to information law as set out previously in our Outsourcing Oversight report.
- We received 38,514 data protection complaints.
- We closed 39,860 data protection cases (up from 34,684 in 2018/19) .
- We received 6,367 freedom of information complaint cases.
We took regulatory action 236 times in response to breaches of the legislation that we regulate. That included 54 information notices, eight assessment notices, seven enforcement notices, four cautions, eight prosecutions and 15 fines.
Over 2,100 investigations were conducted.
We settled a case with Facebook, which had been brought under the Data Protection Act 1998.
Through our successful regulatory sandbox service, we have worked with a number of innovative organisations of all sizes to explore new data uses in a safe way while helping to ensure their customers’ privacy.
We also received additional resources from the government’s regulators innovation fund to set up a hub with other regulators to streamline and reduce burdens on businesses and public services using data.
Our research grants programme has encouraged innovative research into privacy and data protection issues.
In January, we launched our consultation on an AI framework to allow the auditing and assessment of the risk associated with AI applications and how to ensure their use is transparent, fair and accountable.
On a global scale, we continue to chair the Global Privacy Assembly, driving forward the development of the assembly into an international network that can have an impact on key data protection issues across the year. This helps to protect UK citizen’s personal data as it crosses borders and helps UK businesses operating internationally.
Due to the period covered by the report it does not reflect the impact of COVID-19 although, acknowledging the pandemic, Ms Denham said: ”The digital evolution of the past decade has accelerated at a dizzying speed in the past few months. Digital services are now central to how so many of us work, entertain ourselves and talk to friends and family.”
But she added: ”The law has not changed, and the ICO continues to be a proportionate and practical regulator.”
Notes to Editors
- The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR) and Privacy and Electronic Communications Regulations 2003 (PECR).
- The General Data Protection Regulation (GDPR) is a data protection law which has applied in the UK since 25 May 2018. Its provisions are included in the Data Protection Act 2018. The Act also includes measures related to wider data protection reforms in areas not covered by the GDPR, such as law enforcement and security.
- Since 25 May 2018, the ICO has the power to impose a civil monetary penalty (CMP) on a data controller of up to £17million (20m Euros) or 4% of global turnover.
- Previous ICO annual reports can be read on our website at https://ico.org.uk/about-the-ico/our-information/annual-reports.
- To report a concern to the ICO go to org.uk/concerns.
For further information, please contact the ICO press office on 0303 123 9070 or email firstname.lastname@example.org.