Font Size: A A A


Data watchdog report

Organisations are learning the hard way of the consequences of mishandling people’s information – and others need to heed the lessons the Information Commissioner, Christopher Graham, warned on July 5 at the launch of the Information Commissioner’s Office’s (ICO) 2011/12 annual report. For the 84-page document visit



The increased use of surveillance on public transport is provoking concerns, the report said. The document said: “Our investigation of a complaint from Big Brother Watch about CCTV with sound recording being mandated as part of taxi cab licensing conditions has resulted in a preliminary enforcement notice being served on a local authority on the grounds that the use of continuous sound recording in a taxi results in unfair and unlawful processing contrary to the first data protection principle. We are investigating other authorities and bus companies involved in similar practices.” 


On European regulations for data protection, the ICO says that the process will take up to two years to complete with a further two years for any new legal framework to come in. It is likely that a new framework will have a significant impact on the work of the ICO as well as on data controllers and the rights of individuals, the ICO adds.


On the Leveson inquiry into press standards and use of ‘blagging to gain personal information without permission, Christopher Graham complained in a foreword that the ICO has received ‘precious little credit’ for, he claimed, having been the first to blow the whistle on Fleet Street practices in the ICO 2006 publications, ‘What Price Privacy?’ and ‘What Price Privacy Now?’ In a foreword he wrote: “We are still waiting for the stronger deterrent penalty to the section 55 offence of ‘blagging’ personal information from unsuspecting data controllers that was the key recommendation of those reports of six years ago. Meanwhile, we have been facilitating ‘fast track’ subject access from the so-called Motorman Files for any concerned citizen who wants to know whether or not journalists had, for whatever reason, been commissioning potentially unlawful breaches of their privacy.” The ICO reported interest in the information held relating to Operation Motorman.  Steve Whittamore pleaded guilty to breaching the Data Protection Act. A number of notebooks were recovered during the investigation. These notebooks contained personal details relating to some 4,000 people. People can find out whether anything is recorded about them in these notebooks. Some 98 individuals have used this service.


The annual report came as the ICO imposed a civil monetary penalty (CMP) of £150,000 on the consumer lender, Welcome Financial Services Limited (WFSL), after the loss of more than half a million customers’ details.  Christopher Graham, said: “Over the past year the ICO has bared its teeth and has taken effective action to punish organisations many of which have shown a cavalier attitude to looking after people’s personal information.


“This year we have seen some truly shocking examples, with sensitive personal information, including health records and court documents, being lost or misplaced, causing considerable distress to those concerned. This is not acceptable and today’s penalty shows just how much information can be lost if organisations don’t keep people’s details secure.


“We hope these penalties send a clear message to both the public and private sectors that they cannot afford to fail when it comes to handling people’s data correctly.”


The penalty was issued after WFSL’s Shopacheck business lost two back-up tapes which contained the names, addresses and telephone numbers of their customers in November last year. The tapes have never been recovered. Since being given the power to issue CMPs from April 2010, the ICO has issued 21 penalty notices, bringing the total value of the penalties issued by the ICO to more than £2m. “It’s a case of ‘wake up and smell the CMP,”  Graham said.


While figures from today’s annual report show a 0.3pc drop in the number of data protection complaints received by the ICO – with 12,985 complaints made last year – the report shows the public’s growing concerns about unsolicited marketing calls and texts – rather than (a point not made by the ICO) concerns about a ‘surveillance society’ such as use of CCTV. During the last financial year the ICO saw a 43pc rise in the number of complaints under the Privacy and Electronic Communication Regulations (PECR) – which govern electronic marketing – with 7,095 complaints received.


Commenting on these latest figures, the Information Commissioner said: “Last year the ICO gained tough new powers to tackle unsolicited marketing calls and texts, including the power to impose a penalty of up to £500,000 on the worst offenders.


“We have now set up a dedicated team to enforce the Privacy and Electronic Communication Regulations and we are currently working to identify the operators responsible. The ICO has executed search warrants at a number of sites across the UK linked to companies we believe are breaking the law.


“We have also set up an online reporting mechanism on our website that allows people to report any marketing texts or calls from unidentified senders. We have received over 12,000 reports to date and we are confident that this work will help us identify those responsible.”


The ICO also saw a 7p rise in the number of Freedom of Information complaints, with 4,633 complaints received during 2011/12. Despite this increase in the ICO’s workload and despite cuts in government grant-in-aid, the ICO has reduced by 66pc the number of FOI cases that have been with the office for longer than six months. The number of data protection cases taking over six months to complete has also fallen by 82pc.


“Our work resolving freedom of information requests has also increased. As budgets tighten and public spending comes under even greater scrutiny, public authorities must remain transparent and accountable if they are to retain the trust of the public they serve,” Graham said.  


Meanwhile, the annual reports show a 60pc increase in the number of audits carried out by the ICO ‘Good Practice’ team. Of the 42 organisations audited, 90pc felt that the process raised awareness of the importance of data protection in their organisations. The ICO is extending its audits to cover public authorities’ compliance with the Freedom of Information Act and has also introduced advisory visits to help small and medium sized organisations.


Commenting on the ICO report, Paul Hennin, Marketing Director, EMEA from Proofpoint, a Security-as-a-Service provider, said it highlighted that it’s forcing organisations to pay greater attention to data protection at a board level. However the report acknowledges that there are still major challenges in protecting against inadvertent data loss elsewhere in the business. 


“Many businesses are aware of the risk of external threats, but too often simple steps like internal education or putting in place safety measures are missed and have a major effect as demonstrated by the fines the ICO has announced. Organisations need to take this internal protection of their employees and security data much more seriously as many of the breaches are entirely preventable. 


“The ICO has focused on a growing audit programme and is encouraging more organisations to take part in the programme, whether taking part in the programme or conducting audits internally, organisations need to ask themselves if they have processes in place to not only protect, but also to detect when a breach has occurred. The ICO has also said these audits help raise awareness, this is a key issue that businesses need to address throughout the organisation.


“Trends like increased mobility in the workplace are more prevalent in the private sector, as a result there is more responsibility to ensure the appropriate measures are in place. Data is now increasingly found beyond the corporate network and no longer only just behind the firewall, it could be anywhere, such as on personal devices but even companies who don’t have consumer devices in the workplace will face this challenge as a result of increased mobility. Private sector organisations should not be led into a false sense of security, the risk to corporate reputation is just as great as they face increasing challenges in enabling mobility in the workplace, and the risks to data protection that this can bring.”


Related News