Important changes afoot at the Information Commissioner’s OfficePrint publication
The Information Commissioner’s Office (ICO) has recently published its strategic plan for April 2014 to March 2017. The plan has been drawn-up following feedback from the ICO’s public consultation, ‘Looking ahead, staying ahead: Towards a 2020 vision for information rights’, which closed in February. It provides a useful insight into the future landscape of information rights’ regulation.
The plan identifies six objectives to enable the ICO to meet its future goals, including the need to ensure organisations have a clearer understanding of their information rights obligations; that consumers receive a proportionate, fair and efficient response where concerns are raised; and that enforcement powers are used proportionately to improve compliance.
Stopwatch – Information request response times
As part of the changes, a process is to be introduced monitoring the speed of data controllers’ responses to data subject access requests and public authorities’ responses to freedom of information requests. Existing response deadlines of 40 days (under the Data Protection Act 1998 (DPA)) and 20 working days (under the Freedom of Information Act 2000 (FOIA)) can be daunting for busy organisations, particularly if they have not received multiple requests previously or where they are continuously pressed. A new monitoring process will increase the pressure on organisations to respond expeditiously. This measure comes in light of the ICO’s intention to actively tackle poor performance and the proposals envisaged to increase public awareness of information rights more than ever before. No organisation should risk enforcement action where it could be easily avoided. Proceeding promptly, following regulatory guidance and best practice, and seeking legal advice when appropriate will remain important, especially in the more sensitive cases.
Recent Government proposals are similarly likely to increase ICO enforcement action for breaches of the Privacy and Electronic Communications Regulations 2003 (PECR). The PECR primarily governs those sending direct marketing and advertising by electronic means, including emails, mobile phone messages and telephone calls. Permission is required from the recipient, unless a previous relationship with the recipient exists. There are also rules applying where cookies or similar technology is used to track information regarding end users of a website or electronic service.
On 30 March 2014, the Department for Culture, Media and Sport (DCMS) published its nuisance telephone calls action plan – following a select committee inquiry into the issue (July 2013) and the joint Ofcom-ICO strategy for tackling unwanted live marketing and recorded sales calls. DCMS propose to lower the legal threshold for consumer harm, enabling the ICO to take action against more organisations breaching PECR. As the regulator with responsibility for live calls, the ICO currently only acts where contravention is serious and likely to cause “substantial damage or substantial distress”. Going forward, the ICO would be able to issue penalties in situations where “nuisance, annoyance, inconvenience or anxiety” are caused. This threshold is likely to be easier to offend and organisations should be alert.
‘Sell-by date’ for consent
DCMS have also announced they will consider recommendations made by a task force led by Which?, to deal with situations where consumers are unaware they have notified a company that they do not object to that business or a third party contacting them for marketing purposes. Currently, organisations must:
- obtain consent before making automated marketing calls, making live marketing to consumers registered with the Telephone Preference Service, or passing on consumer details;
- show that consent was knowingly given, is clear and specific;
- keep clear records of consumer consent; and
- carry out rigorous checks before indirect consent (that is, consent originally given to a third party) is relied on.
However, if implemented in practice, the recommendations would for the first time see a time-limit of one year imposed on any consent obtained via third parties and clarification introduced to wording where customers are consenting to or opting out of marketing calls. The changes would require businesses to review and revise relevant documentation and terms, particularly website conditions. Practically, implementation of a one-year limit would be onerous – particularly for businesses maintaining large databases and client contact lists.
Also of note is the ICO’s intention to improve compliance by:
- obtaining formal undertakings when businesses need to improve;
- issuing increased numbers of enforcement notices where there are significant risks;
- encouraging organisations to sign-up to improvement plans and following this up with formal action where appropriate;
- issuing civil monetary penalties for serious DPA breaches; and
- encouraging the Government, in the longer term, to introduce penalties such as community service orders or imprisonment for unlawful trade in personal information.
Investigation and prosecution of those committing criminal offences under the DPA and FOIA are also likely to increase, with the ICO looking to undertake both reactive investigations and pro-actively conduct initiatives with other regulators and prosecuting authorities – including the Financial Conduct Authority, for example. With the introduction of an online self-reporting tool, expectations to self report are likely to increase. As such, it may be more advisable than ever before for businesses to consider reporting incidents to the ICO at the earliest possible opportunity or seek legal advice, even where they are unsure whether the potential breach will incur a penalty. At the very least, such steps will demonstrate awareness of the entity’s responsibilities and a positive culture of compliance.
A number of factors have heralded the proposed changes. Alongside reforms arising from the Leveson Enquiry relating to data protection and the press, ongoing consultations have considered the burden on public authorities under FOIA. Correspondingly, the newly-installed EU Commission is undertaking data protection reform in working towards establishing a digital single market, whilst Parliament will most likely further review UK information rights following the General Election in May 2015.
Political and other extraneous influences aside, the coming years look set for considerable changes to the ICO’s role, levels of enforcement action, the consequences of any breach of information rights’ legislation, and the way organisations must handle individuals’ data. With data becoming such a valuable asset, it is imperative that organisations consider the proposals carefully ahead of implementation.