The ICO has had a busy January with some key updates to note for the start of 2014.

The ICO has produced a series of quarterly reports:

  • Spam text messages
    • The main three topics for the subject of unsolicited marketing text messages were found to be debt management, payday loans and payment protection insurance.
    • Enforcement activity for 2014 will focus on culprits in breach of the Privacy and Electronic Communications Regulations (PECR) 2003.
    • The ICO has lobbied the Department for Culture, Media and Sport to lower the threshold to trigger enforcement by monetary penalty fines for violation of PECR, submitting the case that the trigger of demonstrating substantial damage or distress is too high, with too many organisations sending unsolicited marketing texts slipping through the grasp of the ICO’s enforcement powers.
  • Marketing calls
    • The top three subjects of live sales calls covered payment protection insurance, accident claims and energy.
    • The level of complaints about cold calls is at its lowest level since October 2012, totalling 4,996 in December 2014.
    • The ICO correlates the decline in complaints as a direct result of fines issued in 2013, such as that against DM Design Bedrooms Ltd of £90,000 for making 2000 unsolicited marketing calls in breach of PECR.
  • Cookies
    • The ICO received 53 complaints during the period of October-December 2013 about cookies via the ICO website.
    • The ICO is focusing enforcement on the most visited UK websites, which have taken no steps to raise awareness about cookies or sought to gain user consent.
    • The ICO has now written to a total of 265 organisations about compliance with cookie rules.

The ICO has experienced mixed fortunes with enforcement action. On January 24, the ICO successfully sentenced six investigators of ICU Investigations Ltd for conspiring to unlawfully obtain personal data about its clients, finding the two managers of the company guilty of a criminal offence under section 55 of the Data Protection Act 1998, and fined the investigators a total of £37,107. Furthermore, back in December 2013, the ICO issued a fine of £175,000 against payday loan company First Financial UK for sending millions of unauthorized marketing text messages. In juxtaposition to this, the First Tier Tribunal (Information Rights) overturned a £300,000 monetary penalty notice issued against Tetrus Telecoms for sending unsolicited text messages to consumers. In spite of this, the ICO is keen to stress it will be appealing this decision further to demonstrate that breaches of the PECR will not be tolerated.

The ICO has also issued a report analysing the strengths and weaknesses of data-processing activities in GP practices involving sensitive patient data. The report identifies a series of recommendations to improve existing practices, including ensuring all data breaches are reported, improving the way in which patients are informed about how their data will be used, greater awareness about the risks of using fax machines to process patient data, and more careful management of large volumes of patients paper records. This report will likely be particularly potent in light of NHS England’s latest plans as part of its scheme, scheduled to be launched this March, and which will create a central database for all patient records in the UK.

Finally, the latest draft guidance from the ICO, ‘Data Protection and Journalism – a guide for media’, has also been issued for public consultation. The guide has emerged in the context of finding from the Leveson Inquiry into the Culture, Practices and Ethics of the Press in November 2012, which highlighted the need for the ICO to issue good practice guidelines to ensure appropriate standards of data processing are adhered to by the press and media. The deadline for public responses on the draft is 22 April 2014.