ICO publishes data breach reports and complaints registers

Recently, the ICO published numerous datasets on their website containing details relating to data protection complaints (from the public), self-reported personal data breach cases, and investigations that the ICO have carried out since Q4 of 2020. The datasets include the names of organisations who have self-reported, or had public complaints filed against them, even if no enforcement action was taken.

What is included in the datasets?

Each dataset includes the following information: 

• Reference number for the work completed
• Type of work and legislation it falls under
• Name of the organisation responsible for the processing of personal information
• Sector the organisation represents
• Nature of the issues involved
• Date the work was completed
• Outcome following consideration of the issues

The ICO explain on their website that in some in-stances, cases will be recorded against the Data Controller rather than the Data Processor (as the complainant may have named them originally) and in other instances they may be recorded against a parent company where appropriate. 

Why is this information being published?

This information is being  made available in line with the ICO’s commitment to transparency, and their new “communicating regulatory activity” policy. On the ICO’s website, they state: 

“We publish information about matters with the full range of outcomes, including those where, following our consideration, it was unlikely that the legislation we oversee had been contravened. This is because, whether or not there is any further action for an or-ganisation to take, we know the public are legitimately interested in how many concerns and incidents are reported to us.”
- ICO

Until now, organisations have not had to worry about their names being published for low risk data breaches that do not result in enforcement, as only sanctioned organisations were previously named; following this development however, organisations who report breaches regardless of the outcome, will be named publicly.  

It remains to be seen whether this new development will affect the reporting rate and risk appetite of organisations, or whether the publication of an organisation’s name on a self-reporting dataset may be seen as a positive factor, indicating an organisation who takes responsibility for, and considers data protection a priority. 

Within the ICO’s new policy, they outline the positive reasons for publicising these datasets: 

“Publicity helps to raise confidence in – and awareness of – our work to promote good practice and deter those who may be thinking of breaching information rights legisla-tion...We must be confident of the legality of – and public interest in – the information we publicise about our regulatory work and those we regulate. This policy aims to help all ICO departments act consistently when making decisions about publication and publicity.”
- ICO

Due to the nature of modern working practices and greater understanding of data protection, this development will mean that many organisations will now be sharing the spotlight, therefore organisations should not be worried about reporting potential breaches, but continue to practice positive data protection management.