The ICO publishes complaints and concerns data sets

The ICO publishes complaints and concerns data sets

The data sets will include information on the organization, sector, nature of the issues and outcome following the ICO's consideration. Self-reported data breaches without further regulatory action will also be included, which means that the ICO is taking a more aggressive approach to transparency.
 

Overview

The UK ICO has decided to publish the complaints and concerns data sets on its website. These cover, amongst others, data protection complaints, self-reported data breach cases and civil investigations. The data sets are available from Q4 2020/21 onwards. The data sets are published in a reusable format and disclose information such as:

  • The name of the organisation that a complaint or concern relates to
  • The sector the organisation represents;
  • The nature of the issues involved
  • The outcome following the ICO’s consideration of the issues
     

What is of particular significance is the inclusion of self-reported data breach cases. These cases include security incidents that were handled by the reporting organisation and were either not classified as a personal data breach by the ICO or did not meet regulatory action criteria. In the ICO’s words, ‘the public are legitimately interested in how many concerns and incidents are reported to us’, regardless of whether any regulatory action taken.
 

Why is this significant and what does it mean for me?

Publicising information about a personal data breach or an infringement of privacy laws has the potential to damage an organisation’s reputation and undermine public trust in that organisation. This is a significant concern for any and all organisations.

UK-based organisations can no longer expect relative anonymity they have enjoyed so far. The ICO’s strict approach to transparency means that information will be publicised even in cases where no regulatory action was taken.

On a positive note, this approach may help to showcase an organisation’s effective handling of a self-reported data breach. This information could also prove helpful in identifying organisations with a history of data breaches and become part of a pre-contractual screening process. It remains to be seen whether the ICO’s approach will actually act as an incentive for stronger compliance or how this development will affect organisations’ behaviour.

If you have any queries or would like further information, please visit our data protection services section or Christopher Beveridge.
 

Subscribe: Data Privacy Insights - BDO

Related resources
See All

Subscribe: Data Privacy Insights