The Information Commissioner’s Office (‘ICO’) has published its 2017/2018 Annual Report, covering the 12 months leading up to 31 March 2018. The report is the ICO’s annual report to Parliament as required by the Data Protection Act 1998 (‘DPA’), and outlines the achievements and work of the ICO. Among the findings reported are the number of self-reported personal data breaches and a summary of fines issued by the ICO.

Upward trends

The ICO received a huge increase in telephone, live chat and written queries from the public and organisations. In the last quarter of 2017, it received 30,000 more such calls than in the previous three months. The report claims 235,672 calls were received by the ICO’s helpline, an increase of 24.1 per cent year-on-year, while 30,469 live chats were requested, up 31.5 per cent. Of the queries received, the majority of concerns related to data subject access (39 per cent), the disclosure of data (16 per cent), the inaccuracy of data (11 per cent) and securing the right to prevent processing (9 per cent).

With regards to personal data breaches, the number of self-reported cases increased significantly: 3,172 incidents were reported to the ICO over the course of 2017/2018, a 29.6 per cent increase. It is anticipated that the number of self-reported data breaches is likely to increase further during the 2018/2019 report period, to reflect the new mandatory data breach notification requirements under GDPR. This position was confirmed during an ICO webinar, where it was revealed that there were 1,792 personal data breaches notified to the ICO in June, a 173 per cent rise on the 657 reports received in May 2018, and an almost fivefold increase compared to April, when just 367 notifications were received.

Continue Reading ICO publishes its 2017/2018 Annual Report

On 23 May 2018, the Data Protection Act 2018 (DPA) received royal assent and became UK law. The DPA implements the EU’s General Data Protection Regulation (GDPR), while providing for certain permitted derogations, additions and UK-specific provisions.

The DPA:

  • Repeals and replaces the previous Data Protection Act 1998 (the 1998 Act) as the primary piece of data protection legislation in the UK
  • Is designed to ensure that UK and EU data protection regimes are aligned post-Brexit
  • Implements the EU Law Enforcement Directive, establishing rules on the processing of personal data by law enforcement agencies and intelligence services

This blog looks at key issues of interest in the DPA relating to liability, compliance and enforcement.

DPA offences

Under the GDPR, EU Member States have the freedom to apply certain exemptions or provide for their own national rules regarding certain types of personal data processing. The DPA creates additional data protection offences and provides additional information about the Information Commissioner’s Office’s (ICO) powers and enforcement abilities.

UK-specific data protection offences include:

  • Knowingly or recklessly obtaining or disclosing personal data without the consent of the data controller, or procuring such disclosure, or retaining data obtained without consent.
  • Selling, or offering to sell, personal data knowingly or recklessly obtained or disclosed.
  • Where an access or data portability request has been received, obstructing the provision of information that an individual would be entitled to receive.
  • Taking steps, knowingly or recklessly, to re-identify information that has been “de-identified” (although this action can be defended when it is justified in the public interest).
  • Knowingly or recklessly processing personal data that has been re-identified (which is a separate offence), without the consent of the controller responsible for the de-identification.


Continue Reading Data Protection Act 2018 comes into force

On 13 April 2018, the High Court, in NT1 & NT2 v Google LLC [2018] EWHC 799 (QB), ruled against Google, in favour of two businessmen advocating for the right to be forgotten. You can find the full judgment here, but in this blog we explore the reasoning behind the Court’s decision.

Right to be forgotten/right to erasure

The Court of Justice of the EU confirmed the right to be forgotten as an existing right under data protection laws, in Google Spain SL v Agencia Espanola de Protección de Datos Case of 2014: 317. The right to be forgotten is made explicit in the EU General Data Protection Regulation 2016/679 (GDPR) text. Essentially, in the GDPR the right is an enhanced right of erasure. The right is not absolute, which means that a controller does not need to comply with the request if there is a legitimate reason for continuing to process the personal data.

Case summary

Two separate businessmen brought cases, which were consolidated. Each case centred on the reporting of business-related criminal convictions that were spent and over a decade old:

  • NT1 was convicted of conspiracy to commit false accounting and tax evasion; and
  • NT2 pleaded guilty to conspiracy to tap phones and hack computers of environmental activists who had made threats against him and his business.


Continue Reading The High Court considers the right to be forgotten