On 13 July 2005, the Information Commissioner published his Annual Report for the year ending 31 March 2005. The report offers a good insight into the Commissioner’s enforcement strategies and shows what a busy year it has been for his Office.
New organisational structure
In addition to creating a new structure to cater for freedom of information, the Office has three new divisions; the Regulatory Action Division covers investigations and enforcement work; the new Casework and Advice Division deals with complaints casework and enquiries; and the new Guidance and Promotion Division will develop data protection policy and produce guidance aimed at promoting good data protection practice. The new structure should allow the office to take a practical yet robust approach to data protection work. It will help members of the public and data controllers by giving advice and guidance, while dealing firmly with organisations who ignore their obligations and do not apply the data protection principles appropriately.
Volume of activity
2004-2005 remained a busy year for the Commissioner; his Office handled over 19,000 cases, of which nearly 5,000 were formal “requests for assessment”. 12 cases were successfully prosecuted, with sentences including fines ranging from £100 to £3,150, and conditional discharges.
A man who ran an investigation agency was prosecuted by the ICO on five counts of illegally obtaining personal information (contrary to section 55 of the Data Protection Act 1998). Evidence was obtained that calls were made from his offices to the Inland Revenue in Cardiff, to elicit information illegally. The defendant denied he had made the calls, claiming they were made by self-employed agents working for him. He was convicted at Cardiff Magistrates Court on the basis that he either knew what his self-employed agents were doing, or that, if he didn’t know, he should have known, and a failure to know arose from inadequate systems. He was fined a total of £2,500 (£500 per offence) plus £3,000 costs.
The ICO successfully prosecuted a solicitor after his firm failed to notify under the Data Protection Act 1998. Following a guilty plea, he was fined £3,150 and ordered to pay £3,500 towards prosecution costs. This fine was later reduced on appeal to £1,000. Under the Act, organisations that process personal data may be required to notify with the ICO at a cost of £35 per year.
Two men were sentenced to a total of six and a half years’ imprisonment at Burnley Crown Court in December 2004. They were behind one of the bogus data protection agencies about which the ICO has received many complaints. They had pleaded guilty to conning businesses across the UK out of nearly £700,000. These bogus agencies send out threatening letters to businesses demanding payments of between £95 and £135 to register under the Data Protection Act. The ICO worked closely with Lancashire Police, providing information and evidence.
The Privacy and Electronic Communications Regulations 2003 prohibit the sending of unsolicited marketing emails to individual subscribers without prior consent. The ICO has been in talks with the Department of Trade and Industry with a view to strengthening the Office’s enforcement powers. The Information Commissioner has also signed a Memorandum of Understanding with other relevant UK enforcement bodies and authorities in the USA and Australia.