The ICO’s complaints and concerns data sets

As part of the ICO’s commitment to transparency about enforcement matters, some time ago it began publishing more detailed data sets about its enforcement activities. Data on civil investigations, cyber investigations, complaints from data subjects, self-reported data breaches and investigations under PECR runs from the start of 2021.

Incidents and Investigations

Where a matter is for potential investigation, it is logged as an ‘Incident’. Where it merits further attention it progresses to a full ‘Investigation’ and ceases to be categorised as an ‘Incident’.

Incidents and Investigations are organised in two categories: ‘Cyber’ and ‘Civil’:

• ‘Cyber Investigations’ are cases involving potentially serious breaches of personal data resulting from cyber-related attacks; whereas
• ‘Civil Investigations’ are those from causes other than cyber-related attacks. We infer this category to include investigations arising from reporting (for example) accidental disclosures to third parties, repeated failures to respond to DSARs and failures to carry out DPIAs correctly.

In 2022, 9% of Cyber Incidents and 85% of Civil Incidents progressed to Investigations, showing a markedly different approach to escalation between the two. It may be that controllers often report less serious Cyber Incidents whereas reporting of Civil Incidents tends to be triggered by more substantive issues.

2022 ‘Investigation’ outcomes

By way of a flavour of the ICO’s investigatory activities, we have analysed the 2022 data sets[1] in relation to both Civil and Cyber Investigations. The majority of tags provided in the data sets correlate to a particular outcome, but there are some discrepancies, which we have attempted to align[2].
 
The following emerges for Investigations in 2022: 

• 2% resulted in a monetary penalty;
• 14% resulted in a reprimand; and
• 17% resulted in advice being provided, leaving 67% where it appears no action was taken against, or advice provided to, the controller. 

In other words, advice and reprimands emerge as the largest categories of further activity by the ICO in relation to investigations conducted (but not the largest category of “outcome” per se). One point to note is that the number of reprimands issued in 2022 almost doubled, to 45, against 23 in 2021.

The data also reflects the ICO’s revised approach to enforcement against public authorities. 72% of reprimands issued in 2021 and 2022 were to public authorities, whereas public authorities received only 2 of the 10 monetary penalties[3] issued in the same period: (i) the Cabinet Office[4] and (ii) The Tavistock & Portman NHS Foundation Trust[5].

How long do Investigations take?

As of the start of 2022, the ICO has provided the start and end date for Investigations. For the 311 Investigations in 2022, the following emerges:

• the average number of days to complete an Investigation from the initial Incident is 323; and
• the shortest time to close an Investigation was 9 days (in respect of two Cyber Investigations that were closed with no further action being taken) and the longest was 1648 days (a Civil  Investigation into the UK Sexual Offenders Register (UK Database) where no further action was taken);
• 70% of investigations take less than a year to close; and
• just 12% take over two years to close.

Questions for the ICO

Invariably, the data raises questions about exactly what it is showing us. For example:

• Why are a greater proportion of Civil Incidents escalated to Investigation than Cyber Incidents?
• What are the most common forms of advice given to data controllers?
• What are the commonest reasons for Investigations culminating in the decision ‘No Further Action’? Are they that the controller satisfactorily demonstrated that there has been no risk to data subjects? That adequate mitigation measures were in place? Other factors altogether?

-------------------
[1] We have not included the 2021 data sets in this analysis. They suggested a marked change in approach to Cyber Investigations between 2021 and 2022, which we will explore in a separate post.

[2] For the ‘investigations’ data labels we grouped the ICO labelling as follows: 

• Monetary Penalty – Appeal; Civil monetary penalty pursued; fine - higher tier; and Paid in full
• Reprimand – Reprimand
• Advice Provided – Advice provided; Compliance advice given to controller; and Compliance Audit Recommended
• No Further Action – No further action; No action for controller; NFA - ICO not LSA; NDA - in line with Regulatory Action Policy; NFA – other agency dealing and NFA - Legal advice insufficient evidence. 
• No Personal Data – No Personal Data
• Closed/Other - Closed- duplicate; Closed  - Documents pasted into existing case;  Not recoverable; and Internal referral.

[3] When excluding the NHS Scotland monetary penalty which was downgraded to a reprimand in 2023.

[4] ICO and Cabinet Office reach agreement on New Year Honours data breach fine

[5] https://ico.org.uk/media/action-weve-taken/mpns/4020812/the-tavistock-portman-nhs-foundation-trust-mpn.pdf