ICO Annual Report: Highlights

July 24, 2024

The Information Commissioner’s Office has published its annual report for 2023-24.  This article sets out the highlights.

The ICO commits to four “enduring strategic objectives”:

  • Safeguarding and empowering consumers,
  • Responsible innovation and sustainable economic growth,
  • Promoting openness, transparency and accountability, and
  • Being held to account for enforcing the legislation it oversees, including the Data Protection Act 2018 and the Investigatory Powers Act 2016.
Investigations

The ICO concluded 285 civil investigation cases and 80 incidents in 2023-24. Five prosecutions and five cautions were brought for ‘unlawfully obtaining’ offences under the Data Protection Act. These included a local council officer being sentenced for unlawfully accessing social service records and a former tracing agent pleading guilty for illegally obtaining personal information to check if bank customers could repay debts. The ICO also carried out investigations in the cyber sector, about privacy and digital marketing, and financial recovery.

AI

Responding to the rise of AI, the ICO has warned of “real danger” of discrimination, especially against neurodivergent people in brain-monitoring technology and has said that neurotech poses a major risk of being biassed if not developed and used correctly. The ICO has committed to developing guidance for developers of neurotech. The ICO has issued guidance for consumers buying smart tech, emphasising research and preparation before buying products. Serco Leisure has been ordered to stop using facial recognition and fingerprint scanning to monitor workers’ attendance as workers were not offered a clear alternative to these modes of monitoring.

Children’s privacy

On children’s privacy, the ICO has successfully completed six investigations with a further four in the process of being finalised. An investigation into TikTok saw the ICO issuing a £12.7 million fine for the misuse of children’s data in April 2023, finding that personal data belonging to children under 13 had been used without parental consent and TikTok “did not do enough” to check who were using their platform and remove those who should not be on the platform. In addition, the ICO has partnered with education, law enforcement and social services to promote awareness around responsible data sharing to prevent harm to children. It has published an updated Commissioner’s opinion on age assurance for the Children’s code, giving guidance on what online services should do if accessed by children, reflecting technological developments in this area, and explaining legislative developments and how organisations can meet data protection obligations.

Adtech and digital advertising

The ICO has done work on adtech, calling for websites to stop using damaging practices, such as using language suggesting a right or wrong decision on privacy policies, and cookie consent banners that do not offer an easy ‘reject all’ option. It has warned top UK websites of enforcement action if they do not comply with data protection law, and pointed out that some websites do not give fair choices to users over personalised advertising tracking.

Spam marketing

The ICO has also tackled unlawful marketing, fining two energy companies a combined £250,000 for calling those on the ‘do not call’ register in addition to a further £130,000 fine for a company sending millions of spam emails without consent.

Complaints received

The ICO received 39,721 data protection complaints in 2023-24, up from 33,753 in 2022-23, with the range and sectors of complaints broadly similar to the previous year. There was a much higher caseload compared with the previous year, with 9,168 cases being worked on, compared to 3,558 in 2022-23. It responded to 11,680 personal data breach reports. Following the recent King’s Speech, the new Digital Information and Smart Data Bill commits to reforming the ICO into a new regulatory structure with a CEO, board and chair with new, stronger powers. It will be accompanied by targeted reforms to some data laws and promoting standards for digital identities around privacy, security and inclusion.