Privacy watchdog fails on fines for data protection breaches

More than 2.8 million pounds uncollected in annual fines by ICO

Koala asleep on tree

ICO and fines

Britain’s personal data watchdog has failed to collect millions in fines for breaches of the Data Protection Act (DPA).

The Information Commissioners Officer (ICO) is responsible for enforcing the DPA and new GDPR regulations, which come into force today (25 May 2018). Figures obtained through Freedom of Information requests by me show:

The total sum of fines issued under the Data Protection Act 1998 (DPA) and Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) for each of the last three financial years is:

2015-16 – £2,529,250

2016-17- £3,556,100

2017-18 – £4,809,700

But how much of this was actually received?

2015-16 – £748,100

2016-17 – £1,938,600

2017-18 – £1,923,655

So, in the most recent year, for example the ICO has failed to collect more than 60% of the fines it has imposed, for a total of more than 2.8 million pounds.

Whilst the total of fines has been increasing, the collection rate has been decreasing. The ICO is keen to point out that there are several factors that have an impact on the difference between the total amount fined and the total amount paid for each financial year.

GDPR means more cash for the ICO

According to the law, companies and other organisations must register with the ICO and pay an annual fee for the privilege. I uncovered how the ICO will benefit financially from the new GDPR rules. Last year (2017/18) £21,299,976 was raised in data protection fees income. The projected data protection fee income for this year (i.e. financial year 2018/19) is £32,341,250. This represents an uplift of £11,041,274.

74% of the ICO’s income will be spent on salaries, that’s a massive £24,983,045 for around 400 staff!

I contacted the 31 other countries bound by the EU law regarding the data protection registration and asked them if they charged a fee. 15 responded to say that they did not.

Support for businesses from the ICO lacking

Although generally good news for consumers (Ten ways GDPR will help consumers) the ICO faces widespread criticism of its handling of the new GDPR legislation. Despite the massive hike in projected income and increase in staff, big business and sole traders alike are frustrated by the lack of support and consistent advice on the new data privacy law.

old fashioned dusty switchboardWe are all seeing an increase of emails requesting consent to keep recipients on their mailing list which are unnecessary where they already have our permission. Laura Light, blogger at savings4savvymums is one of many sole traders who is frustrated by all the conflicting advice. “I was on the phone last week asking about opt-ins to then be told by a different advisor the info I was told was wrong! They need to get their facts straight and stick to them. How on earth can anyone be expected to get it right when the ICO doesn’t even know what’s right?”

Naomi Willis was left on hold for 1 hour 4o minutes before being cut off and then again for nearly two hours when she rung the ICO. To say nothing of the ICO website being down for most of the day yesterday!

Why is a registration fee for data protection needed?

Naomi from Skint Dad, a small business, questions the need for a fee: “The whole idea of GDPR is that everyone should be doing it. I don’t therefore understand why most need to pay a fee to the ICO. Having a fee is just putting people off from following the new legislation. It’s not like the money has gone on any support!”

And as mentioned above – other countries undertaking the same work are not charging. Why?

Jumping on the GDPR bandwagon

There appears to be an increase in companies seeking to capitalise on the confusion too. Naomi has noticed that people with no legal background who appear to have read (some of) the guidelines are offering very expensive advice to people and organisations who are wrongly panicking about being fined. Willis worries for next week and beyond “I think it will be worse from next Tuesday as these people will become parasites, just looking at websites with no privacy policy, then trying to hard sell them generic policies that aren’t fit for purpose.”

GDPR causing unnecessary costs for small organisations

The cost of GDPR is hitting business across the board, especially in the not-for-profit sector. Already strapped for cash schools and local authorities must spend thousands of pounds on privacy staff and external advice but are not being given any extra funding to do so.

While most privacy policies are written in dry legal language, some small businesses have taken a novel approach to these documents. For example, the website WritersHQ has created a witty explanation for every area of GDPR full of choice language in its Privacy Policy. The popularity of the policy, which has been shared widely on social media, is perhaps a reflection of how small businesses feel about GDPR! Marianne Chua is a wedding photographer whose Privacy Policy takes a humorous sarcastic slant. For example “I’m happy to show you the information I have on you, and unsurprisingly it’ll probably be exactly the things you’ve told me because sadly I am neither a spy nor a mind reader.”

ICO and protection irony

ICO is making sole traders postal addresses public! For most sole traders this is their home address making them vulnerable to a number of issues. The ICO does not have to make these home addresses public. But, the ICO said ““Even though it is no longer a legal requirement under the GDPR, the ICO will continue to publish a register of data controllers because we recognise there is a public interest in transparency and accessibility. It is important that data subjects have a clear way to contact data controllers and to exercise their legal rights. Being a data controller represents responsibilities, one of which is to be easily accessible to data subjects. We will be publishing the postal addresses of data controllers, including sole traders. We will not be asking for consent to do so but we will be advising them that they can provide a PO Box address instead if they wish to do so.”

ICO and glass houses..

I think Naomi sums it up perfectly. “Information we need to provide must be “concise, transparent, intelligible and easily accessible” but the ICO seem to be having a hard job of doing this themselves! What I’ve seen from them is long winded, full of holes, late and the information on their site goes around in circles, let alone having a chance to speak to a human for support!”

Time perhaps for the ICO to get its own house in order before it starts looking at fining businesses?

Someone shouting into tin can with string. Text privacy watchdog fails on fines for data protection breaches and support on GDPR

[1] A spokesperson for the ICO said that "If the Commissioner receives full payment of the monetary penalty within 28 calendar days of the notice being sent, the Commissioner will reduce the monetary penalty by 20%.

Secondly, ongoing or successful appeals against a CMP will delay, or negate, the amount of CMP to be paid. In some cases, appeals to the FTT can lead to the reduction in the amount organisations are required to repay.

In addition, each monetary penalty notice issued will define a timeframe in which the CMP should be paid, which will be a period of at least 28 calendar days beginning the first day after the monetary penalty notice has been served. Therefore, in more recent cases, although a monetary penalty notice has been issued, payment may not yet have been made.”

How to get answers from Government & other public bodies

What is the Freedom of Information Act?

Freedom of Information Requests can be made of any public body:

government departments, and other public bodies and committees
local councils
schools, colleges and universities
health trusts, hospitals and doctors’ surgeries
publicly owned companies
publicly funded museums
the police

You can ask any information of these public bodies. Public bodies use pubic money and you have an entitlement to find out how it is being used. For example, the expenses scandal broke because of Freedom of Information requests –used well they can be powerful.

You can write to any public body directly. Contact details for doing so will be available on the organisation’s website. You can also make your request public by using the WhatDoTheyKnow website, asking your question through this site will get your request to the right place and also be made public as will the answer. check it out to see the sort of things that have been asked.

Why FOI post on a blog about consumer rights?
Well, because as well as it being your right to find out information about how your money is spent, it can also help give you information you may need to strengthen your complaint. For example asking how many staff are meant to be on duty in ward between set times on set days if you want to complain about understaffing in a ward and have no idea how many staff there should be on duty.

Responses 
Public bodies must respond within 20 days. There are exceptions to providing information. Some sensitive information isn’t available to members of the public. If this applies, the organisation must tell you why they can’t give you some or all of the information you requested or it might ask you to be more specific so they can provide just the information you need.

An organisation can also refuse your Freedom of Information (FOI) request if it will cost more than £450 (£600 for central government) to find and extract the information. That includes administration time. If you have more than one question send them as separate requests.

If the body has not sent you their response within the 20 working days you can report it to the Information Commissioner’s Office.

Tips
1) Don’t ask for qualitative information. e.g. why did the organisation make a decision? You would need to ask for copies of meetings regarding xyz and then see for yourself how the decision was made.

2) Keep a note of the date you asked the FOI and chase on the 21st working day threatening to report to the ICO if you haven’t had a reply.

3) When you email an FOI you should receive an email saying that your email has been received, if you do not receive this, follow up to ensure that it has been received and get a reference number.

4) When you receive your confirmation, keep their reference number should you need to follow up if you haven’t had a response then you will need this.

5) Check the public body’s website for the information, if the information is available and online the public body will send you a link it is not obliged to answer detailed questions or post you the information if it readily available.

6) Follow the complaint procedure if you do not agree with a decision not to provide you with the information. This will be using the internal complaints procedure explaining clearly your arguments for why you don’t agree. If you remain dissatisfied you can take the matter to the ICO.

Real examples of FOIs I have made

CCTV parking offences. A couple of years ago I asked how much money was generated from the car in our borough which sits at the end of a road and “catches” people turning left. (Which in my humble opinion is utterly pointless- if they turn right they can turn right again instantly and turn round in the short in/out road to a car park causing more disturbance to pedestrians than turning left). I was given piles of information! Some I wasn’t given because the work was up to tender and therefore deemed as “sensitive”. It was an incredibly high amount which more than paid for the staff and vehicles. Unfortunately this was before discussions and rulings about CCTV being income generating…

Police. Last year someone was putting stickers on keyholes giving the number of a locksmith. This number was unobtainable. Stories about this happening previously in other boroughs had been in the media over the last year or so. The story went that burglars were putting on these stickers and if in the following one or two days they were still up then the house was empty and could be burgled. The local paper ran this story, Facebook posts were shared all over the place and a head teacher of at least one school sent this warning home. People were very worried about a rise in crime and violence with these robberies.

I emailed our local police. Firstly I asked if there was truth in this story and if so what they were doing about it and why they weren’t warning residents I was told that actually there was no truth in the story whatsoever. A neighbourhood police officer had actually caught someone putting the stickers on doors and confiscated the roll to prompt his boss to ‘phone the police officer. He duly did so. This was a new company who thought that this was a good idea to drum up business…. before their ‘phone lines were in use. I don’t suppose I need to state my opinion on that!

However, people seemed certain that they were hearing of far more burglaries than the previous year so I asked some FOIs regarding the number of burglaries in the previous 8 weeks and for the same period in the previous year, how many were with violence and roughly day or night. There was no increase, only one with violence and that one they thought was more suspicious. The media and people’s perception (perhaps with so much social media activity) was unfounded. I was therefore able to share all the facts on Facebook local area group pages, on my page etc., and alleviate some fears. The local paper never printed the correct story despite requests by the police. So an answer to an FOI can also stop you sending in a complaint if it gives you different/more information.

Department of Work and Pensions. I am unfortunate enough to have Iain Duncan Smith as my MP. Luckily I have never had to meet him to ask for him to help me with anything. However, I took it upon myself to challenge him regarding food banks, cost of living and ATOS. I went twice and recorded the events. The write ups can be found here and the clips on my YouTube channel Helen Dewdney. I asked various questions of the DWP, some I forwarded to activists, and others I shared on my Facebook page, such as the number of verbal and physical threats made to staff.

For further information about how you can use the information you glean to pursue complaints see the book.