ICO publishes Annual Report 2023/2024

The UK Information Commissioner’s Office (ICO) has published its annual report, containing details of its activities and financial statements between April 2023 and March 2024.

The Information Commissioner, John Edwards, comments on the diverse nature of his roles, from investigating a case of an email which didn’t use bcc, to assessing the risks of AI and novel technologies!

The ICO has been seeking to deliver its three-year strategy (ICO25), which was launched in 2022. The report outlines show it has addressed its overall strategic objectives, and other activities and achievements against this plan. This includes using its new PACE approach (prioritise; act; collaborate; engage) to tackle emerging issues.

The ICO continued its approach of giving reprimands for a lot of breaches, and only using more formal enforcement notices or fines for the more serious breaches, for example where people are a most risk of harm. The biggest fine issued was £12.7m against TikTok in April 2023. Two energy companies were also issued with a combined £250,000 fine for unlawful marketing calls.

The ICO has also been helping DSIT prepare for the DPDI Bill, and publishing its position on the Bill. Though the Bill was dropped before the General Election (and we await to see whether any of the provisions are revived in the new Government’s Digital Information and Smart Data Bill).

The full annual report is available at www.ico.org.uk.

Enforcement and caseloads – some statistics

Queries made to the ICO The ICO received 282,213 calls to its helplines over the course of the year (a significant decrease from 352,683 last year), 97% of calls were answered (increased from last year). There were over 57,441 live chat requests (again a significant decrease from last year), with 94% answered. 8,875 calls and 3,185 chats went unanswered! There were 9,605 requests for written advice (which appears to be focused on email rather than post), which is a bit more than last year.
Data protection regulatory action The ICO concluded 306 data protection investigations and 80 incidents (classified as civil investigations and high priority inquiries). It is still not completely clear what these terms mean and how these investigations or incidents arise.
  • 31 reprimands: including disclosures in error, inaccurate data, data subjects’ rights
  • 10 enforcement notices: including employment monitoring and biometric data collection
  • 3 monetary penalty notices totalling £13,057,500 – woah this is huge, as it includes the £12.7m TikTok fine

Cyber investigations are once more classified separately. 62 investigations were closed, with 8 reprimands.

The report says that the ICO is evaluating emerging themes from published reprimands in the public sector, and will publish findings and next steps in the coming year. It has already published some “lessons learned” from reprimands for Q1 and Q2 2023 (including bolstering online security, using alternatives to bcc for emails with sensitive info, considering the risks of messaging apps). It can be useful to look at themes from enforcement action, so that your organisation can focus compliance efforts in these areas!

Privacy and electronic communications regulatory action The ICO issues 26 monetary penalty notices totalling £2,590,000 and 26 enforcement notices for PECR breaches.

The focus was on organisations undertaking predatory marketing communications targeting people at risk of harm or likely to respond to high-pressure marketing practices. This included “green energy” schemes, subscriptions and warranties, debt management and personal loans, and claims management.

See also below in relation to PECR complaints.

Criminal investigations The ICO delivered 5 prosecutions and 5 cautions in the year for “unlawful obtaining” of personal data
Audits The ICO conducted 64 audits – 48 initial audits and 16 follow-up audits. The audits were completed using a hybrid model of remote auditing and onsite work.

97% of the ICO’s audit recommendations were accepted in full or in part.

The report says that the ICO focused this year on exploring different sectors and new technologies for its audits, including the financial sector, use of AI in the recruitment sector, and use of mobile phone extraction technology and FOI requests in the police sector.

Data protection complaints The ICO received 39,721 data protection complaints. This is about 6,000 more than the previous year, but the range of complaints and sectors remained broadly comparable to previous years.

35,332 complaints were finished during the course of the year, which is about 4,400 down on last year.

84.8% of complaints were responded to with 90 days (one of the ICO’s objectives), which is significantly higher than last year, and 99.7% within six months. However, the report doesn’t seem to indicate how many were responded to sooner than this, for example were any complaints addressed within one month?

There doesn’t appear to be a breakdown on which sectors generated the most complaints (as there has been in previous years).

In 62% of the cases, advice was given, and no further action taken. In 38% of the cases, informal action was taken. These are similar percentages to last year. “Other” is listed at 0%, which is presumably rounded down, meaning that in only a very small minority of cases was additional investigatory or regulatory action taken. As has been the case since John Edwards took over as the Information Commissioner, this may reflect his approach to working with organisations rather than issuing formal penalties straight away.

As has been the case for many years, the right of access (subject access requests) tops the list of reasons for complaints – at 38.74% (almost the same as last year). There doesn’t seem to be a full breakdown as with previous years, so it is unclear how the topics for the other 61.26% were split! It would be interesting to note whether complaints are being received about other rights, such as the right to erasure (which had a significant percentage last year), and potentially lesser-used rights, such as rights to rectification, to object to data portability.

PECR complaints 53,476 concerns were reported in relation to telesales calls and texts (unsolicited marketing communications), broken down as 62% where the recipient spoke with a person, 24% with a recorded voice, and 14% spam texts

Emails are back in the picture, having been seemingly missing for a couple of years! 31,635 email marketing concerns were reported, and 2,669 cookies complaints.

Self-reported breaches There were 11,680 self-reported personal data breaches (an increase of 28% from last year), and 10,789 cases were completed.

In 74% of cases assessed, informal action was taken – for most of these the breach was recorded, but the regulatory action criteria were not met (a similar percentage to last year). Only in 5.5% of cases was an investigation pursued (again, a similar percentage to last year). No further action was taken in the remaining cases.

Whilst the full industry breakdown doesn’t seem to be reported this year, the report states that the highest reporting sectors remained health, education and childcare.

Over 20% of breaches related to emailing, posting or faxing personal data to the wrong person. This once more demonstrates the need for awareness and training amongst staff, as human error is a key reason for incidents.

72% of reports were closed within 30 days (with an 80% target).

Freedom of information cases The ICO reports a record year for freedom of information complaints, with 8,080 complaints received (up about 2,500 from last year).

7,697 cases were closed, continuing an upward trend of closed cases following a Covid backlog.

96% of cases were closed within six months (much higher than last year). At the end of the year, there is one case over 12 months old (due to a related appeal to the Tribunal) and 25 cases over six months old.

2,227 statutory decision notices were issued (slightly fewer than last year); 767 were upheld, 347 were partially upheld, and 1,113 were not upheld.

There were 345 appeals to the First-tier Tribunal. 76% of First-tier cases closed were successfully defended by the ICO.

Information requests to the ICO 2,532 information requests were made to the ICO, and 2,545 were completed (both figures slightly up on last year). 1,182 were made under data protection laws, 1,297 under freedom of information laws, 52 were hybrid, and steady at 1 (as for the last two years) for the Environmental Information Regulations 2004.

It completed 98% of information rights requests within statutory timescales!

Olivia Whitcroft, principal of OBEP, 23 July 2024

This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details