Complaints to the ICO soar as performance takes a hit

The Information Commissioner’s Office has seen a significant drop in performance at a time when staff costs are higher than ever, with Brits making a stampede to the phone lines to complain about so-called nuisance calls despite an “award-winning” consumer campaign.

That is the worrying conclusion of the regulator’s 131-page annual report, which stretches to over 30,000 words. And, while it makes a great play on the ICO’s “purpose, strategic enduring objectives, values and causes” as well as its 40^th anniversary celebrations, its “milestones of the year” appear decidedly thin on the ground.

In fact, among the smattering of reprimands and fines, the regulator has even included a speech by Commissioner John Edwards at the New Scientist Emerging Technologies summit and two blogs – one on how the ICO helps police forces to comply with FOI requests and another on the ‘ripple effect’ of data breaches.

Meanwhile, the phones just keep on ringing, with the number of calls to the helpline reaching 284,296 (up from 282, 213 in 2023/24).

There has been no reduction in complaints either. In total, the ICO received 42,315 data protection complaints in 2024/25 compared to 39,721 in 2023/24. Of those, it issued 36,196 outcome decisions offering advice and recommendations to improve information handling (35,332 in 2023/24). But due to what it claims are “higher demands” for its services, the caseload at year-end has actually increased to 15,810 complaints (compared to 9,168 in 2023/24).

Gripes about nuisance calls, cookies and emails – which fall under PECR – also rose, topping 82,000, compared to just over 78,000 last time round. Even so, the report bigs up the regulator’s award-winning “Help Gran Stop Spam” campaign designed to empower people to protect against predatory marketing calls and texts and its Ripple Effect campaign to support victims who need extra support to protect themselves following data breaches.

Personal data breach reports have also risen, up to 12,412 cases (11,680 in 2023/24); representing an increase of 6%. And, although the ICO completed over 1,400 more cases this year than last, at 12,200 (10,789 in 2023/24), the increase in receipts led to a higher caseload of 1,518 at year-end (1,289 in 2023/24).

The highest reporting sectors remained health, education and childcare, with the most common type of incident reported continuing to be emailing, posting or faxing personal information to the wrong person, in just over 18% of breaches. Only 3% of these reports resulted in an investigation; there is no figure on how many have resulted in formal enforcement action.

Even so, performance is also down on the previous year in 11 of the ICO’s 22 KPIs, with five up and six static.

Of particular concern is the ICO’s pledge to assess and respond to 80% of data protection complaints within 90 days, with the actual figure only reaching 30% compared to 84.8% in 2023/24.

The report states: “Performance against this measure has declined throughout the year as demand for our services has increased and we have been unable to recruit to our vacancies. We are exploring a range of options to improve our performance against this measure.

“This includes recruiting, automating certain administrative tasks and improving our processes for dealing with data protection complaints. While our current forecast shows recovery could take us until 2026/27, we are working to try to achieve that sooner, and aim for our performance to be back in line with our target by the end of 2025/26.”

The regulator has also failed in its pledge to have fewer than 1% of personal data breach reports over 12 months old. This is a new pledge and therefore there is no previous record to compare it to, yet it only hit 25.3%.

The report states: “The increasing age of our average caseload adversely impacted our year-end performance against this measure. The number of PDB reports over 12 months old at the end of the year was 384. We anticipate the improvements we are considering as part of our new operating model will improve performance in 2025/26. Although we forecast a continued decrease in performance (and an increase in reports over 12 months old) until these changes are embedded and begin to reduce the age of our average caseload.”

During 2024/25, the ICO imposed £4.426m in monetary penalties, including £882,000 for PECR breaches (£2.6m in 2023/24) and just £9,200 of GDPR fines (£7,600 in 2023/24), which represents a huge reduction on the £15.648m from the previous period.

However, the regulator still has £28.845m in uncollected fines (£25.912m in 2023/24); £25.576m of which relates to those under appeal. Some £3.541m of the remaining penalties that have yet to be collected are on agreed payment plans, so they are being paid in instalments.

When it comes to staffing, as of March 31 2025, the ICO had 1,051 permanent staff, compared to 1,091 permanent staff in 2023/24 but they were still being paid more, with the wages bill coming in at £72,667,000 compared to £68,904,000 in 2023/24.

The regulator also shelled out a total of £400,000 for a strategic consultant to advise on the initiation of its Data, AI and automation programme.

John Edwards said: “Our enforcement work continues to provide clarity on what the law requires by holding to account those who fall short of their legal obligations. The common thread running through our work is a focus on maintaining high standards that protect people’s rights and freedoms, whilst also ensuring business and government can innovate responsibly and safely. That focus will remain.

“The story of 40 years of information rights is one of change: societal attitudes shift, technology develops, and new legislation is adopted. This report sets out the work of an ICO that has evolved to be fit to regulate a modern, data-driven society. We’ll continue to meet that challenge.”

Picture credit: Twilight Zone CBS