Trends in recent enforcement actions from the Information Commissioners' Office (ICO)
Trends in recent enforcement actions from the Information Commissioners' Office (ICO)
The ICO has a number of enforcement powers at its disposal to ensure that organisations meet their data protection obligations, which include:
♦ Reprimands for the public sector
The ICO issued a total of 10 reprimands across the public sector in the last 4 months, reflecting the Commissioner’s revised approach to public sector enforcement. Last year, the ICO clarified how organisations across the public sector can improve their data protection practices in the ‘Lessons Learned from Reprimands’ update. In this release, the ICO advised organisations to:
With the increased use of new technologies in the health and social care sector, the ICO has issued guidance to make sure that organisations are being transparent with individuals about how their personal data is being used. In April 2024, a trust was reprimanded for failing to respond to Data Subject Access Requests (DSARs) within the statutory timeframe. Employees automatically extended requests without informing data subjects, demonstrating their lack of understanding of requirements on data subject access rights. Organisations should ensure employees receive adequate training to make sure you are complying with data protection regulations.
♦ Direct Marketing/Nuisance Calls and Emails Concerns
The ICO continues to tackle nuisance communications and enforce the Privacy and Electronic Communications Regulations 2003 (PECR). Between February 2024 and June 2024, 7 enforcement notices and monetary penalties were issued to organisations for sending unsolicited direct marketing calls and messages. In particular, 2 organisations were fined £340,000 for making aggressive and unwanted marketing calls to individuals on the UK’s “do not call” register, the Telephone Preference Service (TPS). Not only have the organisations involved suffered financial consequences, but they also face reputational damage as the ICO has published their enforcement notices on their website. Considering this, it may be a good time to refresh your knowledge of the ICO’s guidance on direct marketing communications using electronic mail.
♦ Fines
A fine of £350,000 was issued to an organisation for not having the appropriate security measures in place. The organisation inadvertently used the “To” field rather than the blind copy (“BCC”) field when sending out its communication, disclosing as a result 265 unique email addresses. This should serve as a reminder of the importance of implementing appropriate technical measures and providing training to minimise the risks of individuals’ information being inappropriately disclosed via email. The ICO has also previously advised organisations to use bulk email services, mail merge, or secure data transfer services when sending any sensitive personal information electronically.
If you have any queries or would like further information, please visit our data protection services section or contact Christopher Beveridge.
- Enforcement Notices – requiring organisations either to take specified steps or to cease a particular activity to comply with their data protection obligations;
- Monetary penalties – these penalties which could amount to up to £17.5m or 4% of global turnover (whichever is greater);
- Issuing reprimands – the ICO issues reprimands where it believes that an organisation has not complied with the requirements of the Data Protection Act 2018 (accompanied by a list of reasons for the decision and actions that an organisation should take);
- Prosecutions – where individuals may be personally liable for accessing or using personal data unlawfully.
A summary of the ICO’s decisions/enforcement action
Between February and June 2024, the ICO took a total of 21 actions, making use of various enforcement powers at its disposal. Some of the notable trends during this period include:♦ Reprimands for the public sector
The ICO issued a total of 10 reprimands across the public sector in the last 4 months, reflecting the Commissioner’s revised approach to public sector enforcement. Last year, the ICO clarified how organisations across the public sector can improve their data protection practices in the ‘Lessons Learned from Reprimands’ update. In this release, the ICO advised organisations to:
- Provide adequate training for employees;
- Respond to information access requests within the statutory timeframes;
- Implement the data protection by design and default approach.
With the increased use of new technologies in the health and social care sector, the ICO has issued guidance to make sure that organisations are being transparent with individuals about how their personal data is being used. In April 2024, a trust was reprimanded for failing to respond to Data Subject Access Requests (DSARs) within the statutory timeframe. Employees automatically extended requests without informing data subjects, demonstrating their lack of understanding of requirements on data subject access rights. Organisations should ensure employees receive adequate training to make sure you are complying with data protection regulations.
♦ Direct Marketing/Nuisance Calls and Emails Concerns
The ICO continues to tackle nuisance communications and enforce the Privacy and Electronic Communications Regulations 2003 (PECR). Between February 2024 and June 2024, 7 enforcement notices and monetary penalties were issued to organisations for sending unsolicited direct marketing calls and messages. In particular, 2 organisations were fined £340,000 for making aggressive and unwanted marketing calls to individuals on the UK’s “do not call” register, the Telephone Preference Service (TPS). Not only have the organisations involved suffered financial consequences, but they also face reputational damage as the ICO has published their enforcement notices on their website. Considering this, it may be a good time to refresh your knowledge of the ICO’s guidance on direct marketing communications using electronic mail.
♦ Fines
A fine of £350,000 was issued to an organisation for not having the appropriate security measures in place. The organisation inadvertently used the “To” field rather than the blind copy (“BCC”) field when sending out its communication, disclosing as a result 265 unique email addresses. This should serve as a reminder of the importance of implementing appropriate technical measures and providing training to minimise the risks of individuals’ information being inappropriately disclosed via email. The ICO has also previously advised organisations to use bulk email services, mail merge, or secure data transfer services when sending any sensitive personal information electronically.
Why is this significant and what does it mean for me?
The ICO’s enforcement actions act as a cautionary signal about the consequences of non-compliance. Based on some of the recent ICO areas of focus, highlighted in this article, it’s worth considering the following within your own organisation:- Awareness – Is data protection awareness training embedded throughout the employee lifecycle? Are your employees aware of their data protection obligations?
- Accountability – Are you truly embracing the GDPR’s accountability principle, ensuring that you not only follow regulations but actively demonstrate and document your commitment to responsible data handling?
- Engaged in marketing activity - Can you provide the following evidence?
- Consent from the recipient, including an audit trail of the time and date consent was received.
- That consent statement was written in a clear and plain language for all to understand.
- That each data processing activity is clearly documented, and data subjects have been given the opportunity positively to opt in and opt out of any future marketing correspondence.
ICO's Data Protection Priorities
The Information Commissioner has laid out the key areas it will be prioritising in 2024 - children’s privacy, advertising technology and artificial intelligence:- Children’s privacy
- The ICO, working alongside Ofcom, has recently published content moderation guidance. The aim of this guidance is to ensure that organisations know how to comply with data protection law as they carry out content moderation. Following the introduction of the Children’s Code, the ICO and Ofcom are aiming to encourage influential stakeholders to adjust their practices and set expectations across their industries.
- Advertising technology
- Following the ICO warning that organisations must make it as easy for users to “Reject All” advertising cookies as it is to “Accept All”, the regulator continues its close oversight of cookie banners on UK websites. The ICO is now developing an automated tool to monitor and regulate cookie compliance, allowing them to identify websites with non-compliant banners and highlight data protection law breaches. These recent actions highlight the ICO’s commitment to ensuring organisations promote user control and enable individuals to make an informed choice before accepting any website cookies.
- Artificial Intelligence
- With the aim of protecting individuals’ rights while allowing for innovation, the ICO is committed to ensuring AI technologies are implemented in a way that complies with the principles of UK data protection legislation. In view of this, a consultation series on Generative AI has been launched to provide further clarity on the evolving landscape.
If you have any queries or would like further information, please visit our data protection services section or contact Christopher Beveridge.