The ICO has issued its annual report and financial statements for the period from 1 April 2021 to 31 March 2022. This is the first annual report since the new Commissioner, John Edwards was welcomed into the post, following Elizabeth Denham’s departure in November 2021. The report reflects on the most significant events that have impacted the regulator’s work in the past 12 months, as well as highlights the ICO’s key achievements for this period. In his foreword, the Commissioner described 2021/2022 as “…a year of action and impact…” and the detail within the pages that follow support this initial statement.
The report is an easy read (albeit a long one, at 151 pages) and, as usual, it is divided into three main sections entitled “Performance Report”, “Accountability Report” and “Financial Statements”. Our blog focuses on the areas we consider will be of most interest to our readers. The full report is available here ICO Annual report 2021-22
The Performance Report begins by reiterating the ICO’s existing mission, vision and strategic goals, together with its values to be ‘ambitious’, ‘collaborative’ and ‘service focussed’ in the manner in which it upholds information rights for the UK public in the digital age. However, the report also highlights that the ICO’s Information Rights Strategic Plan came to an end in July 2022 and the ICO, therefore, launched a draft of its new strategic plan – ICO25 for the next three years on 14 July 2022. The new plan is open for public consultation until September 2022. You can participate here call for views
Following the introduction, the report summarises the ICO’s activities for the preceding year in six sections, as set out below.
- Supporting the Public
The ICO highlights that it is continuing to support individuals and organisations throughout the UK, including the vulnerable members of society such as the elderly and children, as its helpline takes a high volume of calls every year. The ICO has also responded to the government’s proposals for the reform of the UK data protection legislation and it has worked on the draft Journalism Code of Practice.
- Enabling innovation and economic growth
The ICO recognises that using data innovatively can bring many benefits for us all but that the processing still needs to be carried out lawfully. To assist organisations with this, the ICO launched its AI and data protection risk toolkit ai-and-dp-risk-toolkit-v1_0.xlsx (live.com) in July 2021. This is designed to help organisations manage the risks to personal data within AI technologies and should be used alongside the ICO’s guidance on AI and data protection, “Explaining Decisions Made with AI”.
The ICO also explains in its report how it has been working with businesses to help them comply with the data protection law and opened consultations on new guidance for data protection and employment practices and on the International Data Transfers Agreement (“IDTA”), International Data Transfer Agreement Addendum (“IDT Addendum”) and associated guidance. The final versions of the IDTA and IDT Addendum were published for use in March 2022.
- Raising global data protection standards
The ICO states in its report that, as Chair and Secretariat (until October 2021) of the Global Privacy Assembly (“GPA”), it has been advocating for high data protection standards across the globe.
In further emphasising its work in this area, the ICO highlights that:
- the UK was granted adequacy status in June 2021,
- in May 2021, it signed a Memorandum of Understanding with the New Zealand Office of the Privacy Commissioner,
- the Australian Information Commissioner and the ICO worked together to investigate how Clearview AI inc. process personal data. (Clearview were in the business of scraping data from the internet and using biometrics for facial recognition. Clearview have since been fined).
- Taking regulatory action
It appeared to be a busy year for the ICO in terms of taking formal enforcement action against those organisations that committed serious breaches of the data protection legislation as it issued 37 fines and penalties under the Privacy and Electronic Communications Regulations (“PECR”) and the Data Protection Act 2018 (“DPA”) and 24 reprimands.
Of the penalties mentioned above the most significant was in relation to Clearview AI Inc. The ICO initially published an intention to issue a fine to Clearview for £17 million but this figure was subsequently reduced to £7,552,800. Whilst this was a huge reduction, it was nonetheless, still a significant sum. Clearview have also received fines from the regulators in France, Italy and Australia.
- Supporting the public sector
The report explains how the ICO has been working with the public sector by, for example, issuing new guidance on how the direct marketing rules apply to them and encouraging them to use Privacy Enhancing Technologies (“PETs”) when processing personal data.
- Delivering the ICO service experience
In the report, the ICO acknowledged that its service in the past 12 months was not as good as it could have been but confirms that it has an improvement plan. That said, the ICO indicated that it scored 69.4 in a survey it conducted in relation to its service, which is only 0.6 short of achieving the ICS Quality Mark Accreditation. The survey revealed that customers were satisfied with the helpfulness and competency of staff, and ease of access to the ICO service and website but less so in relation to how the ICO handles complaints. With a view to addressing the problem areas within its service, in October 2021, the ICO issued its charter. The charter explains how the ICO will comply with their corporate values and provide a reliable and responsive service but that if customers remain dissatisfied they can complain to the Parliamentary and Health Service Ombudsman.
The annex to the annual report contains details on the ICO’s operational performance, which is where interesting statistics relating to the regulator’s duties can be found.
The report indicates that the ICO received just over 36,000 data protection complaints in 2021/2022, a figure that is only a fraction lower than the previous year. It has reduced its backlog by over 3,000 compared to the same period the year before but it intends to significantly improve on this and has plans to eventually process complaints in real-time, so that there is no backlog.
Of the significant number of data protection complaints, the ICO received, most of the complaints (21.66%) related to the right of access, followed by the right to obtain a copy of data (15.13%). This is, perhaps, unsurprising, bearing in mind that people are becoming increasingly aware of their rights under the UK GDPR, exercising them and complaining if they are dissatisfied.
Also worthy of note are the statistics relating to personal data breaches. The ICO was notified of 9,571 such breaches in 2021/2022 (which is a similar number to the year before) but only conducted a full investigation into 9.6% of them, with the vast majority falling into the ‘informal action’ or ‘no further action’ categories.
There is a lot of detail in the financial statements but perhaps the ‘key takeaway’ is the change in how the money collected from civil monetary penalties will be used. At the moment, the ICO does not retain these funds, as they are deposited in the Consolidated Fund, which is the government’s general bank account. However, this arrangement will change moving forward, as in June 2022, it was announced that the government agreed that the ICO can retain some of these funds to cover the cost of litigation in cases where legal proceedings are required to recover unpaid civil monetary penalties. A similar arrangement has already been implemented between the government and other regulators.
It has been another busy year for the ICO. In the last 12 months, the ICO has issued numerous monetary penalties against those that disregard the data protection law, conducted investigations, provided new tools, documentation and guidance, and taken significant steps to support and better serve the public and the organisations it regulates. However, ICO plans to improve further still and we look forward to the publication of the final version of its strategic plan for the next three years.
As a specialist data protection consultancy, Evalian® is well placed to assist you with any queries you might have on the data protection implications based on the UK government’s proposed changes.
If you would like an informal conversation on how we can assist, please get in touch. We can steer you in the right direction or, if you need help, we can assist at every level to ensure that you are covered.