The UK Information Commissioner’s Office (ICO) has published its annual report, containing details of its activities and financial statements between April 2022 and March 2023. It also published an annual report last year (relating to the period between April 2021 and March 2022), and somehow I failed to publish an update on it! So my article this year has some statistics from the last two years.
John Edwards took over from Elizabeth Denham as the ICO during the course of 2021/2022, so these are the first two Annual Reports for John Edwards as the ICO.
In 2021/2022, the ICO conducted a consensual audit of NHS Test & Trace, and made recommendations for improvement. It also started to publish a data security incident trends dashboard. This may assist organisations to review their approach to security in areas whether breaches are commonly occurring. In December 2021, the ICO issued a £500,000 fine issued to the Cabinet Office for its New Year Honours list data breach. However, this was reduced to £50,000 on appeal in November 2022.
In 2022/2023, there were some big fines, including £4.4m against Interserve (following a cyber-attack) and £7.5m against Clearview (relating to its creation of a database used for facial recognition). The ICO issued a £12.7m fine against TikTok in April 2023, so technically this doesn’t fall within the time period of this report!
The ICO indicates that it has started publicising reprimands, though taking into account the statistics (see my table below), there also seems to be a general trend towards issuing the less-formal reprimands for data protection breaches, instead of more-formal enforcement notices. The ICO also references its two-year trial of its approach to enforcement in the public sector (announced in June 2022), which has resulted in more reprimands and fewer fines (in order to reduce the impact of fines on the public).
The ICO also published its new three-year strategy, ICO25, in November 2022, setting out what it wants to achieve by 2025.
The full annual reports are available at www.ico.org.uk.
Enforcement and caseloads – some statistics
|Annual Report 2021/2022||Annual Report 2022/2023|
|Queries made to the ICO||The ICO received 381,515 calls to its helplines over the course of the year (an increase from the previous year), 89% of calls were answered (a slightly decreased percentage from the previous year, but increased number of calls answered). There were over 76,000 live chat requests (with 97% answered). There were 9,038 requests for written advice (email or post), continuing the downward trend from previous years, as more live chats are requested instead).||The ICO received 352,683 calls to its helplines over the course of the year (a slight decrease), 88% were answered. There were 74,356 live chat requests (with 95% answered) – meaning that almost 4,000 went unanswered! There were 9,173 requests for written advice, a similar amount to last year.|
|Investigations, reprimands, enforcement notices||This was the first year that statistics on investigations were
made available. I am not completely clear on what they represent (!),
but bar charts indicate that the ICO received 988 incidents, and 474
investigations (civil cases, cyber cases, criminal matters, and privacy
and digital marketing cases). The ICO completed enquiries into 935
incidents, and carried out 696 investigations.
I am unclear on how these tie in with the other figures in the report, including relating to complaints and self-reported breaches.
As with last year, the report does not seem to set out figures for information notices, assessment notices, enforcement notices, cautions and criminal prosecutions (though information on these in the 2022/2023 report is under this new section on ‘investigations’ data)
|Investigations data was once more published. The report clarifies
that the ICO needs to consider whether cases/incidents meet the
evidential threshold for (a formal) investigation. The report
distinguishes between civil investigations, privacy and digital
marketing investigations, and cyber investigations (though I am not
wholly clear on the distinction at this stage).
In relation to civil investigations, the ICO concluded 306 investigation cases and 89 incidents. It delivered 44 reprimands and one enforcement notice.
In relation to cyber investigations, the ICO concluded 79 investigations and 337 incidents. It delivered 7 reprimands.
The ICO also issued 14 enforcement notices in relation to PECR breaches.
See next row in relation to monetary penalty notices.
|Fines||During the course of the year, the ICO issued 37 fines
under data protection law and PECR. It issued four data
protection fines totalling £633k and 33 PECR penalties totalling £2.9m.
Though note that the highest fine of £500k against the Cabinet Office
was reduced to £50k the following year.
The ICO also issued 24 reprimands over the year requiring organisations to improve their data protection practices.
|During the course of the year, the ICO imposed £15.27m in
fines under data protection law and PECR.
It issued 19 fines for breaches of PECR totalling £1.88m, indicating that the data protection fines totalled £13.39m. Under ‘investigations’ section, the report states that the ICO issued two penalty notices following civil investigations totalling £7.6m (which must include the Clearview fine), and one following a cyber investigation totalling £4.4m (which must be the Interserve fine). So I don’t understand how all these numbers tally up with each other…
|Audits||The ICO conducted 78 audits and follow-up audits. The audits were completed using a hybrid model of remote auditing and onsite work.||The ICO conducted 93 audits and follow-up audits. This included audits of video game developers, from which the ICO created some top tips for game designers.|
|Data protection complaints||The ICO received 36,343 data protection
complaints. This is substantially the same as the previous
year. Over 41,000 complaints were closed during the course of
the year, which is an increase of 10,000 from the previous year
(when they were dealing with the challenges of lockdown). 6.25% of
complaints were concluded within 30 days, 31% within 90 days and 88%
within six months.
The most complaints were in the ‘land or property services’ sector (which was lower down the list last year), followed by the ‘finance, insurance and credit’, ‘general business’ and ‘health” sectors. The ‘local government’, ‘online technology’ and ‘retail and manufacture’ sectors were also high on the list.
The outcomes and reasons for complaints are once again in the report (having been missing last year; it seems due to a new case management system)!
In 63% of the cases, advice was given, and no further action taken. In 36% of the cases, informal action was taken. In only a very small minority of cases (0.06% in total) was an investigation pursued or regulatory action taken. This perhaps demonstrates the ICO’s approach to work with organisations rather than jump straight to formal penalties.
As in previous years, the right of access (subject access requests) tops the list of reasons for complaints – at 21.66%. This is followed by 15.13% of complaints about “Provide a copy of the…”!!! The bar chart cuts off the end of this, but does refer to Article 15(3)(1), so this is presumably also about the right of access (providing a copy of data) – bringing the total Right of Access complaints to 36.79%. This is followed by complaints about lawfulness, fairness and transparency, and complaints about integrity and security, and security (again, apparent duplication here, which increases the overall security percentage). Other rights appear lower down the list, though combining duplicated entries, the right to erasure also appears to have a significant percentage.
|The ICO received 33,753 data protection
39,724 complaints were finished during the course of the year. 13% of complaints were concluded within 30 days, which is double last year’s percentage. 60% were concluded within 90 days (again double), and 93% within six months.
The most complaints were once more in the ‘land or property services’ sector, followed again by ‘finance, insurance and credit’, and then ‘health’ and ‘general business’. The ‘local government’, ‘technology and telecoms’ and ‘retail and manufacture’ sectors were also high on the list.
In almost 65% of cases, advice was given and no further action taken. In 35% of cases, information action was taken. At 0.03% we have ‘other’, which presumably includes the (very small minority of) cases where an investigation was pursued or regulatory action taken? This again perhaps demonstrates the new ICO’s approach to enforcement.
It seems nothing can beat subject access requests as the top reason for complaints – they have topped the charts for many many years running. For some reason, complaints relating to the right of access are split in two (provide a copy and right of access), but the total percentage is almost 40%, which is a lot!
This is followed once again by complaints about lawfulness, fairness and transparency, and complaints about security and…security again (integrity and confidentiality). The right to erasure also appears twice and its combined percentage is about 7%.
|PECR complaints||The ICO received 105,438 reports of
concerns under PECR (including unsolicited marketing
communications) (a significant decrease of about 18,000 from
the previous year, which was also down from the year before that).
In relation to telesales and spam texts, a bar chart indicates that calls where the recipient spoke with a person generated the most complaints (46,528, similar to the previous year). This was followed by calls with a recorded voice (37,653, which is over 22,000 fewer than the previous year), and then spam texts (21,257, about 4,000 more than the previous year).
|The ICO received 50,954 reports of concerns under
PECR (including unsolicited marketing
communications), which is once again a significant decrease
from the year before.
In relation to telesales and spam texts, a bar chart indicates that calls where the recipient spoke with a person once again generated the most complaints (29,131, a significant decrease compared to the previous year). This was followed by calls with a recorded voice (12,888, about a third of the number in the previous year), and then spam texts (8,935, under half of the number from the previous year).
|Self-reported breaches||There were 9,571 self-reported personal data
breaches. This is very similar to the previous year (which was,
however, a decrease from the year before that).
In 77.6% of cases assessed, informal action was taken – the breach was recorded, but the regulatory action criteria were not met. Only in 9.6% of cases was an investigation pursued. This is significantly lower than last year, perhaps reflecting the new ICO’s approach to regulation, as raised in relation to complaints, above. No further action was taken in the remaining cases.
The health sector stayed at the top in the number of breaches reported (20.23%), and education and childcare stayed second (14.42%). Local government, retail and manufacture, finance, insurance and credit, and the legal sectors followed.
The top reason for breaches was data being emailed to the wrong recipient at 16.87%. This demonstrates the need for awareness and training amongst staff, as human error is a key reason for incidents. At 15.64% came “other non-cyber incident”, and unauthorised access and phishing were both also over 10%.
|There were 9,146 self-reported personal data
breaches, a slight decrease from last year.
In 74.6% of cases assessed, informal action was taken – the breach was recorded, but the regulatory action criteria were not met. Only in 5.2% of cases (even lower than last year) was an investigating pursued. Again, this perhaps reflects the new ICO’s enforcement strategy. No further action was taken in the remaining cases.
The health sector once again topped the charts in number of breaches reported (21.4%). Education and childcare once more followed (14.76%). The same players followed: local government, retain and manufacture, finance, insurance and credit, and the legal sectors.
The top reason for breaches remained data emailed to the incorrect recipient (17.87%), followed again by “other non-cyber incident” at 13%. Unauthorised access was third at 12.43%, though it was split up from its companion phishing, which was lower down at 7.95%. Data posted or faxed to the incorrect recipient rose to fourth place at 8.09%.
|Freedom of information cases||The ICO received 6,361 complaints about freedom of
information. It states that this was a return to pre-pandemic
levels (following 4,853 in 2020/2021).
5,932 cases were closed during the year; which is significantly more than the previous year. The charts in the report aren’t wholly clear (there are two very similar diagrams with different figures), but it appears that 11% were concluded within 30 days, 63% were concluded within 90 days and 70% within six months. In 47.5% of cases, no action was required, and in 24% cases, a decision notice was served. The other cases were informally resolved, or did not relate to information rights. 40% of the cases were about local government, and 26% about central government; both similar percentages to last year. 11% were about the health sector, 8% about the justice sector, and 6% about the education and childcare sector. 1,409 statutory decision notices were issued; 821 were upheld or partially upheld (an increase from the previous year), and 588 were not upheld. It is not specified whether, as with previous years, one of the key reasons for not upholding a complaint is that it was made too early before internal reviews by the relevant public authorities had been completed.
There were 205 appeals to the Information Rights Tribunal (down from last year, and a lower percentage of 14%), 75% of appeals were successfully defended by the ICO.
|The ICO received 5,479 complaints about freedom of
information, which is a drop from last year.
7,103 cases were closed during the year, again increasing from the previous few years. 12% were concluded within 30 days, 53% within 90 days, and 64% within six months (slightly lower than last year). In 37% of cases, no action was required. In 40% of cases, a decision notice was served (a significant increase from last year). The other cases were informally resolved, or did not relate to information rights. With similar percentages to last year, about 40% of the cases were about local government and 26% about central government. 9.7% were about the health sector, 8% about the justice sector, and 6% about education and childcare. 2,822 decision notices were issued – double those from last year. 1,256 were upheld or partially upheld, and 1,566 (so a large proportion of them) were not upheld.
There were 447 appeals to the Information Rights Tribunal (an increase from last year).
|Information requests to the ICO||2,367 information requests were made to
the ICO. 2,463 were completed. These figures
are both an increase from the previous year. 928 were made under data
protection laws, 1,248 under freedom of information laws, and 190 were
hybrid, and 1 was made under the Environmental Information Regulations
The ICO indicates that it completed only 73% of information requests within statutory timescales. It indicates that this was due to an increase in requests, and a reduction in the capacity of the team.
|2,355 information requests were made to
the ICO. 2,362 were completed. These figures
are similar to last year (and the report indicates that the backlog of
overdue cases was cleared by June 2022). 1,104 were made under data
protection laws, 1,193 under freedom of information laws, and 64 were
hybrid, and 1 was made under the Environmental Information Regulations
The ICO indicates that it completed 96% of information requests within statutory timescales, which is a significant increase from last year.
Olivia Whitcroft, principal of OBEP, 18 July 2023
This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details