The Information Commissioner’s Office (ICO) today published its annual report for FY 2019-20, stating that it handled over 12,000 reports of personal data breaches, among others, and took regulatory action in 236 instances that included fifteen fines.
ICO said that between 1st April 2019 and 31st March this year, it took regulatory action in 236 instances that resulted in data breaches. These actions included 54 Information Notices, eight assessment notices, seven enforcement notices, four cautions, eight prosecutions, and fifteen fines.
These fines included a £120,000 penalty issued to Hall and Hanley Ltd for sending over 3.5m direct marketing text messages, a £400,000 fine issued to Bounty UK Ltd for illegally sharing personal information belonging to more than 14m people, a £100,000 fine issued to EE Ltd for sending over 2.5m direct marketing messages to customers without consent, a fine of £500,000 issued to Cathay Pacific for failing to secure its customers’ personal data, and a fine of £500,000 issued to CRDNN Limited for making more than 193m automated nuisance calls.
In FY 2019-20, ICO received as many as 38,514 data protection complaints, managing to close 39,860 cases in the period, with 98% of the cases closed within six months of receipt. While 15% of the cases involved general businesses, 8% involved local government departments, 8% involved the health sector, and 5% of cases involved the central government.
While 46% of data protection complaints were based on unsuccessful subject access requests, 13% of such complaints involved the disclosure of data, 8% were filed by individuals to exercise their right to prevent the processing of their data, 9% were based on data security, and 6% were based on inaccurate data.
0.03% of personal data breach complaints resulted in monetary penalties
According to the ICO, the health sector generated nearly 20% of all personal data breach complaints, followed by general businesses with 17.16%, the education sector with 14%, the finance, insurance, and credit sector with 10%, local government with 8.63%, the legal sector with 8.57%, and the retail sector with 5.39%.
Even though the ICO received as many as 11,854 complaints of personal data breaches in FY 2019-20, 95% of the cases were deemed to require no action and in 5% of complaints where action was required, only 0.03% resulted in the imposition of civil monetary penalties.
The number of data breach complaints resulting in enforcement action in 2018-19 were also minuscule, with the ICO issuing monetary fines in only 29 cases out of 11,468 data breach cases it investigated between May 2018 and March 2019.
Commenting on the number of data breach complaints received in 2019-20, the ICO said that in around half of all data protection complaints, it found that "there was more that data controllers could have done to either improve their information rights practices, or explain in a more comprehensive way how they are complying with their legal obligations."
"This year we have asked data controllers to revisit concerns and do more to assure themselves and complainants that they are complying with their obligations under the law. Whilst we cannot yet attribute a significant reduction in complaints being received to the ICO to this approach, we hope that in time, members of the public will see improvements in how their information rights complaints are handled by data controllers and that this improved experience will result in fewer complaints being received," it added.