ICO’s 2011 Annual Report: practitioner essentials, the ICO’s “three wishes” and T.S. Eliot

Claire Walker

For readers who missed the ICO’s inaugural webcast last week, or who have not had a chance to read his Annual Report, Datonomy brings you selected highlights.

But first (and on an unashamedly smug note) Datonomy is grateful to the Commissioner for his answer to the question it posed via the interactive Q&A feature – which, along with the webcast – was another ICO “first”.  We posed the following question:

“As Information Commissioner, if you could have three wishes in the year ahead (relating to UK private sector organisations’ compliance with privacy legislation, to EU policy – or anything else), what would these be?”

The Commissioner responded:

“My three wishes? Businesses to wake up to the fact that 90% of consumers are fairly or very concerned about the privacy of personal information held about them – and to think through the implications for reputation when mistakes are made. Website operators to take their ‘consent’ obligations [i.e. regarding cookies] seriously under the Privacy and Electronic Communications Regulations – because I’ll be after them if they don’t. And more private sector operators to take advantage of the free audit consultancy offered by the ICO to run the ruler over DP compliance. Why wouldn’t you?”

More from us shortly  on the ICO’s stated enforcement stance on cookie consent and third party cookies.

All the Q&A (12 at the latest count)  contain very useful insights on practical privacy issues ranging from the ICO’s approach to data breaches, fines and transatlantic data transfers which will be useful to those dealing with day to day  compliance issues. The interactive Q&A make an excellent complement to the more conventional content of the Annual Report.

Headline risks and radar issues for businesses

Not Datonomy readers will have had time to read the 86 page Report or even the 50 page summary.  So, what does a busy practitioner need to know?

  • Top 10 DP complaints: while issues like security and cookies tend to dominate privacy headlines, complaints about subject access requests are statistically the most likely to reach the Commissioner , accounting for 28% of complaints. Inaccurate data (15%), disclosure of data (12%) then marketing calls and security issues follow, with complaints about email and  SMS bringing up the rear.  
  • Complaints by sector: lenders – though not named – feature high up in the “rogues’ gallery” of most complained-about data controllers by sector, followed by “general business” (whatever that means!), then direct marketing, followed in turn  by local government, health, central government, telecoms and others –  see page 29 of the summary for full details.
  • Consensual audits: to paraphrase the Commissioner’s response to our question above, “what’s not to like about a free compliance audit?” The Commissioner is disappointed by the private sector’s poor take up of a free consensual compliance audit, with only 19% of those private organisations approached taking up the ICO’s offer.  Given that some of these reluctant businesses must have been in the most-complained about sectors of banking and finance, perhaps they would do well to reconsider?  Take up of audits by the public sector – which has suffered its fair share of data breaches – was more enthusiastic.
  • Monetary penalties and other enforcement action: the Report provides a useful catch-up on the first four monetary penalties imposed by the Commissioner, including the factors which contributed to the ICO’s decision to fine in these particular cases.  As a litany of mistakes to avoid, this is a must read for any organisation (see page 37). Undertakings continue to be the ICO’s weapon of choice – see pages 38-39 for illustrations.
  • Enforcement of cookies legislation: the ICO’s approach to developing best practice and enforcing the new rules on cookie consent will be “positive and realistic”.  Despite holding its enforcement powers in reserve until May 2012 to give businesses a chance to come up with workable consent solutions, it doesn’t rule out action “where it is clear that a website owner is doing little to attempt to comply”.
  • The review of Directive: Datonomy readers will already have the review of the EU regime on their radar – the ICO anticipates a busy year helping to shape the revised legislation.

Facts and philosophy for data protection geeks

For privacy geeks interested in the workings and philosophy of the ICO as an institution, there are many other points of interest.  These include the financials, salaries and details of case loads handled and efficiencies made.  On page 10 there are hints at future changes to the funding of the ICO’s respective FOI and DP remits and the possibility that  the ICO might one day break free from the “apron strings of the MoJ” and the “purse strings of HM Treasury”.

The Report is enlivened by some engaging imagery:  the ICO “walks a tightrope” balancing the right to know under the FOIA on the one hand and the right to privacy under the DPA on the other; it is a “robust and ready” regulator, now “armed” with fining powers to boost its “more clearly articulated enforcement strategy”.  But it remains, as we have come to expect, a “practical and helpful” regulator. 

Those who make it to the final page of the long form Report are rewarded with this thought provoking question from T.S. Eliot:

“Where is the wisdom we have lost in knowledge?

Where is the knowledge we have lost in information?”

Datonomy and its correspondents wholeheartedly endorse those sentiments: we try not to bombard our readers too frequently or with with too much information; we certainly aspire to help our readers share useful knowledge with one another.  And as for  wisdom?  Well, we hope you will find the occasional pearl of Data Protection wisdom here too.




Leave a Reply

Your email address will not be published. Required fields are marked *