ICO publishes Annual Report 2024/2025

The UK Information Commissioner’s Office (ICO) has published its annual report, containing details of its activities and financial statements between April 2024 and March 2025.

With all the excitement of the Data (Use and Access) Act 2025, it was easy to miss the publication of the Annual Report. It seems to have been published quite quietly and without fanfare, not even making it on to the ICO website’s news page.

The Information Commissioner, John Edwards, comments on the ICO’s 40^th anniversary as a regulator. Originally called the “Data Protection Registrar” under the Data Protection Act 1984, the role then moved to be the Data Protection Commissioner (under the DPA 1998) and then the Information Commissioner (and the Information Commissioner’s Office, ICO), once freedom of information law kicked in. 2025 is also the 20th anniversary of the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 coming into force.

And of course the ICO is soon to covert to the Information Commission under the Data (Use and Access) Act 2025, with the Commissioner taking on the role as the Chair of the Information Commission.

Some highlights from the report:

The ICO has continued to deliver its three-year strategy (ICO25), which was launched in 2022. The report reviews the third full year of ICO25, though ICO25 continues until end of the 2025/26 financial year.
The ICO identifies three organisational causes (agreed by the Executive Team): children’s privacy; artificial intelligence and biometrics; and online tracking.
The ICO has worked in addressing compliance with data protection law for the UK’s top 1,000 websites, and issued a reprimand to Sky Betting and Gaming for using cookies without consent, and sharing resulting information with advertising technology companies.
The ICO launched a privacy notices generator tool for small businesses, a data protection audit framework, and a direct marking advice generator.
The ICO has introduced a new “stakeholder mapping tool”, to improve its relationships with key stakeholders, and states that it has completed this process for key regulatory sectors: health, education and policing and justice.
As part of its PACE (prioritise, act, collaborate and engage) approach, the ICO took part in a campaign (called the Ripple effect), focusing on the often unintended consequences of a data breach and the ‘ripples’ it can cause in someone’s life.

My summary of enforcement action and caseloads is set out below. Overall, the ICO seems to have seen an increase in the number of complaints and self-reported breaches over the last year, but has taken less formal enforcement action than the year before.

The full annual report is available at www.ico.org.uk.

Enforcement and caseloads – some statistics

Queries made to the ICO	The ICO received 284,296 calls to its helplines over the course of the year (a similar number to last year). 98% were answered. There were 65,645 live chat requests (up from 57,441 last year), with 93% answered. 6,003 calls and 4,891 chats went answered. There were 10,739 requests for written advice (up from 9,605 last year), with 10,760 requests completed during the course of the year.
Data protection regulatory action	The ICO concluded 43 UK GDPR investigation cases, down from last year’s 285 (note I had originally said 306 last year’s article, but that was actually the year before that), and 204 incidents (up from last year’s 80). Cyber-related: 15 investigations, 61 incidents. The context of investigations and incidents is still not completely clear. 9 reprimands (down from 31 last year): including relating to disclosures in error, inaccurate data and people’s rights. Also raised are 3 cyber-related reprimands. 2 UK GDPR penalty notices totalling £3,826,320 (lower than last year as no equivalent to the Tik-Tok fine this year): £3,076,320 to Advanced Computer Software Group Limited and £750,000 to Police Service of Northern Ireland. The report seems silent on data protection enforcement notices, so potentially there were none issued. Looking at recent enforcement notices reported on the ICO’s website, they seem to relate to direct marketing breaches (under PECR) rather than data protection breaches. It therefore seems a quiet year for data protection enforcement!
Privacy and electronic communications regulatory action	The ICO issued 9 monetary penalty notices totalling £890,000 and 9 enforcement notices for PECR breaches. This is much lower than last year (26 penalty notices totalling approx. £2.5m, and 25 enforcement notices, reduced from 25 originally reported for that year). The ICO executed 11 search warrants across three PECR investigations about the mass volume sending of nuisance messages. The ICO states that these are “also included as civil monetary penalties outlined in the table on page 54” (which has figures for monetary penalties), but I don’t understand what that means. See also below in relation to PECR complaints. Notes on monetary penalties and fines: Paragraph 18 of schedule 13 to the Data (Use and Access) Act 2025 amends section 157 of the DPA 2018 so that the ICO may issue fines of up to £17.5 million or 4% of global turnover under PECR (as well as UK GDPR) – currently the maximum amount is £500,000. The total figure for monetary penalties during 2024/25 is stated to be £4.426m. Though this seems less than £3.8m (for DP breaches) plus £0.9m (for PECR breaches). The report also refers to a figure of £9,200 for GDPR fines. I don’t understand where this figure comes from, but perhaps it relates to pre-Brexit EU GDPR fines? The report states that, at the end of the year £28.845m of fines remain to be collected. £25.576m relates to those under appeal. £3.696m (of other fines?) remains to be collected. The figures are a bit confusing, and I don’t quite understand how they all add up!
Criminal investigations	The ICO focused on criminal investigations for cases where significant harm had been caused to UK businesses and people. It delivered 4 prosecutions and 3 cautions (down from last year which was 5 prosecutions and 7 cautions, increased from 4 cautions originally reported for that year). These related to unlawful obtaining offences, including unlawfully copying and selling over 29,400 lines of data about people involved in road traffic accidents, and accessing and sharing over 32,000 customer insurance policies.
Audits	The ICO conducted 77 audits and follow-up audits (up from 64 last year) across a range of sectors. Executive summaries are published on the ICO’s website. These include series of audits relating to education technology in schools, the financial sector, young offender institutions and secure care homes, and personal data breaches for police services. 99% of the ICO’s audit recommendations were accepted or partially accepted. Note: the ICO also published its new data protection audit framework during the course of the year, including useful toolkits for different topics.
Data protection complaints	The ICO received 42,315 data protection complaints. This is about 2,500 more than 2023/24 (and 8,500 more than 2022/23). The ICO issued 36,196 outcome decisions offering advice and recommendations to improve information handling (up by under 1,000 from last year). The caseload at year end was 15,810. Only 30% of complaints were responded to within 90 days, whereas the ICO’s objective is to respond to 80% within 90 days (which it achieved last year). 98.4% were responded to within six months. The ICO comments that performance has declined due to an increase in demand for the ICO’s services (see increase in number of complaints), and they are exploring options to improve this! The report also doesn’t seem to indicate whether any complaints were responded to sooner than 90 days. There doesn’t appear to be a breakdown on which sectors generated the most complaints (as there has been in previous years, other than last year). In 67% of the cases, advice was given, and no further action taken (5% more than last year). In 33% of cases, informal action was taken (5% down from last year). There is no “Other” row in the table this year, which leads to the question of whether additional investigatory or regulatory action was taken in any of the cases. Note also the low figures for regulatory action taken in the row above. As has been the case since John Edwards took over as the Information Commissioner, this may continue to reflect his approach to working with organisations rather than issuing formal penalties straight away. As has been the case for many years, the right of access (subject access requests – Article 15 UK GDPR) tops the list of reasons for complaints – no figure seems to be given this year, but the report states that “Article 15 complaints…account for most of our data protection complaints work”. This implies it may be over 50%, which is an increase on the 38.74% from last year. It is unclear what other topics there were complaints about. It would be interesting to know whether complaints are being received about other rights, such as the right to erasure (which has had a significant percentage in previous years), and potentially lesser-used rights, such as rights to rectification, to object, and to data portability.
PECR complaints	49,494 concerns were reported in relation to telesales calls and texts (unsolicited marketing communications) (about 4,000 fewer than last year). They are broken down as 59% where the recipients spoke with a person, 27% with a recorded voice, and 14% spam texts. 29,883 concerns about emailing marketing were reported (down just under 2,000 from last year). 4,515 concerns about cookies were reported. This is almost 2,000 more than the year before. The ICO contacted 93 organisations about website cookies, and see also comment on the reprimand to Sky Betting and Gaming in the introduction to this article. The ICO also refers to its focus on bringing the top 1,000 UK websites into compliance in relation to online tracking, which could relate to both PECR and data protection compliance. Note also: The ICO published guidance on “consent or pay” models in January 2025, following its consultation from 2024. Section 112 of the Data (Use and Access) Act 2025 (and Schedule 12) introduces a new Schedule A1 to PECR which provides new circumstances where consent to cookies is not required. These are areas which were considered to present a low risk to people’s privacy.
Self-reported breaches	There were 12,412 self-reported personal data breaches (an increase of about 750 from last year). 12,200 cases were completed (up about 1,500 from last year), but the increase in numbers meant that 1,518 were remaining at the end of the year. In 87% of cases assessed, informal action was taken, and 11% of cases, no further action was taken. For most of these, it is stated that the breach was recorded, but regulatory action criteria was not met. Other reasons where that there wasn’t a personal data breach or “unassigned”. Note: the ICO’s publication “ICO25 – Our regulatory approach” sets out its risk-based approach to regulatory action. It states its focus is usually on areas of high risk where non-compliance could do the most harm. An investigation was pursued in 3% of cases, down 3% from last year. As raised above, it seems a quiet year for investigations and enforcement! As with last year, the full industry breakdown doesn’t seem to be reported, but the report states that the highest reporting sectors remained health, education and childcare. The most common type of incident continued to be emailing, posting or faxing personal information to the wrong person, in just over 18% of breaches. This once more demonstrates the need for awareness and training amongst staff, as human error is a key reason for incidents. 83.7% of reports were closed within 30 days (which exceeds the ICO’s 80% target). However, 25.3% of cases (384) were over 12 months old (against a target of fewer than 1%). The ICO anticipates improvement to its performance in 2025/26.
Freedom of information cases	7,639 freedom of information complaints were received. This is down about 400 from last year, but still the second largest number ever. 7,637 cases were closed (a similar number to last year). At the end of the year, the caseload was 1,466. 94.8% of cases were closed within six months (exceeding the ICO’s target of 90%), and 0.3% of caseload is over 12 months old. The ICO issued 143 statutory information notices to progress cases. In 29% of cases, a decision notice was served. In the other cases, either no further action was taken, or there was informal action. 2,192 statutory decision notices were issued (a similar number to last year). For 758, the complaints were upheld (similar to last year), 437 were partially upheld, and 997 were not upheld. This is an increase from last year in the numbers partially upheld compared to not upheld. There were 322 appeals to the First-tier Tribunal. 74% of First-tier cases closed were successfully defended by the ICO. There were also 76 appeals to the Upper Tribunal, 9 to the Court of Appeal, and 7 to the High Court.
Information requests to the ICO	2,357 information requests were made to the ICO, and 2,338 were completed. These are both about 200 fewer than last year. 1,104 were made under data protection laws, 1,150 under freedom of information laws, 81 were hybrid, and 3 were made under the Environmental Information Regulations 2004 – which is 300% of the number from each of the last two years (when there was only 1 request)! The ICO completed 98.4% of information rights requests within statutory timescales (with a target of 100%).

Olivia Whitcroft, principal of OBEP, 22 July 2025

This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details

DATA PROTECTION INTELLECTUAL PROPERTY COMMERCIAL CONTRACTS	Navigation Home About OBEP People News	Testimonials Services Contact	OBEP is an English law firm with a sole principal, Olivia Whitcroft. It is authorised and regulated by the Solicitors Regulation Authority, registration number 563704. VAT number: 118 4757 96
			Website Terms Privacy Notice