The Annual Report for the Information Commissioner's Office (the ICO) 18/19 was recently published and can be accessed here
A year of change
The Report covers the period from 1 April 2018 to 31 March 2019. This was a period of significant change for the ICO as the year brought a significant change to data protection legislation – the EU General Data Protection Regulation 2016/679 (GDPR) came into full operation. GDPR was implemented in the Isle of Man through Orders made under the Data Protection Act 2018, and came into force on 25 May 2018. The GDPR and LED implementing Regulations 2018 followed after, and came into operation on 1 August 2018.
The Report details the Legislation and Codes of Practice for which the ICO is responsible, which is particularly useful after a year of new legislation:
Data Protection, Data Protection Act 2018
Orders and Regulations, Data Protection (Application of GDPR) Order 2018, Data Protection (Application of LED) Order 2018, Data Protection Act 2018 (Appointed Day) Order 2018, GDPR and LED Implementing Regulations 2018, Data Protection (Fees) Regulations 2018, GDPR and LED Implementing Regulations (Amendment) Regulations 2018, Data Protection Tribunal Rules 2003.
Unsolicited Communications, Unsolicited Communications Regulations 2005, Unsolicited Communications Order 2005, Privacy and Electronic Communications Directive 2002.
Freedom of Information, Freedom of Information Act 2015, Freedom of Information Act 2015 (Appointed Day) Order 2015, Freedom of Information Act 2015 (Amendment of Schedule 1) Order 2015, Council of Ministers FOI Code of Practice
Code of Practice on Access to Government Information, 2016 Code of Practice on Access to Government Information, 2016 Guidance Notes on Code of Practice on Access to Government Information.
Throughout the period, the ICO undertook a wide variety of activities. These included raising awareness of Data Protection and providing training to a range of associations. In addition, the ICO has also provided advice and guidance through its web site to aid individuals and organisations with their compliance and understanding. Guidance topics include a closer look at processing, rights and remedies and data protection officers.
The ICO is now also responsible under the GDPR and LED implementing Regulations 2018 for the maintenance and administration of a new Register of Controllers and Processors. As a result, the ICO has had to create and test the new register, create documentation and online application forms and deal with correspondence for new applications whilst maintaining both registers. The old register will close on 31 January 2020.
Personal Data Breaches, complaints, investigations, etc.
The Report helpfully details statistics of matters dealt with by the ICO in the 12 months since data protection legislation came into force (up to 31 March 2019). There is a new provision in data protection legislation to report personal data breaches, with a total of 208 personal data breaches being declared in the period. Another result of GDPR has been increased awareness of data protection rights, which the Report suggests has led to the 60 data protection infringement complaints made in the period.
A further new provision in legislation is a Data Protection impact assessment, of which there were five. In addition to this, two investigations were also undertaken. The final new provision from legislation that has resulted in statistics is the ability to appeal to a Data Protection Tribunal. In the period reported, two appeals were made.
The Reports further details that three information notices were issued and one enforcement notice issued. In the period, a total of nine reprimands were made.
The ICO has approval to recruit a further staff, including three full time staff, over the next 12 months. This growth in size is reflective of the growth in responsibilities for the ICO following the new data protection legislation. Particular focus is on the expansion of staff to enable effective monitoring of compliance with the new legislation and also the issue of further guidance. The future of the ICO also focuses on international cooperation and conferences. Future objectives include effective policy to protect individual rights whilst assisting organisations with compliance with the law.
It's been a year of growth and change for the ICO, with further growth to come.
At DQ Advocates we have qualified professionals who are able to assist with a wide range of data protections issues including subject access requests and investigations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.