THE INFORMATION Commissioner’s Office (ICO) has published its Annual Report for 2019-2020, covering what the Information Commissioner Elizabeth Denham has called a “transformative period” for privacy and data protection and broader information rights.
Denham (pictured, right) said: “We have seen a transformative period in our digital history, with privacy established as a mainstream concern and with complex societal conversations increasingly asking data protection questions. This report shows the ICO has been at the centre of those discussions, from how facial recognition technology is used through to how we protect children online.”
The report covers the 12 months to 31 March 2020 and focuses on how the ICO supports and protects the public and organisations.
The Age Appropriate Design Code, introduced by the Data Protection Act 2018, was published in January. When it comes into full effect, it will help steer businesses to comply with current information rights legislation.
The ICO intervened in the High Court case on the use of facial recognition technology by the South Wales Police as part of the former’s work to ensure that the use of this technology doesn’t infringe people’s rights. As a response to the judgement, the ICO issued the first Commissioner’s Opinion.
Guidance for businesses and organisations on data protection and Brexit implementation was published to help them comply with the law once the UK leaves the EU.
Meanwhile, the ICO’s new Freedom of Information Strategy was launched which sets out how the organisation works to create a culture of openness in public authorities. It also commits the ICO to making the case for reform of the access to information law as set out previously in its Outsourcing Oversight report.
Year in figures
Across the 12 months covered by the document, the ICO received 38,514 data protection complaints. The organisation closed 39,860 data protection cases (up from 34,684 in 2018-2019) and received 6,367 Freedom of Information complaint cases.
The ICO took regulatory action 236 times in response to breaches of the legislation that it regulates. That included 54 information notices, eight assessment notices, seven enforcement notices, four cautions, eight prosecutions and 15 fines. Over 2,100 investigations were conducted in all.
The organisation also settled a case with Facebook, which had been brought under the Data Protection Act 1998.
Through its successful regulatory sandbox service, the ICO has worked with a number of innovative organisations of all sizes to explore new data uses in a safe way while helping to ensure their customers’ privacy. The ICO also received additional resources from the Government’s Regulators Innovation Fund to set up a hub with other regulators designed to streamline and reduce burdens on businesses and public services using data.
The ICO’s research grants programme has encouraged innovative research into privacy and data protection issues.
Back in January, the ICO launched its consultation on an Artificial Intelligence (AI) framework to allow the auditing and assessment of the risk associated with AI applications and how to ensure their use is transparent, fair and accountable.
On a global scale, the ICO continues to chair the Global Privacy Assembly, driving forward the development of the latter into an international network that can have an impact on key data protection issues across the year. This helps to protect UK citizens’ personal data as it crosses borders and also assists UK businesses when operating internationally.
The report doesn’t reflect the impact of COVID-19. Acknowledging the pandemic, Elizabeth Denham said: “The digital evolution of the past decade has accelerated at a dizzying speed in the past few months. Digital services are now central to how so many of us work, entertain ourselves and talk to friends and family. The law hasn’t changed, though, and the ICO continues to be a proportionate and practical regulator.”