ICO reveals it has 10,000 data breach cases to probe

The full scale of the gargantuan task facing Information Commissioner Elizabeth Denham and her team has been revealed after the regulator admitted it has over 10,000 active cases – and counting – of potential breaches of data protection laws.
The admission came in a response to a Freedom of Information request made by Decision Marketing, which asked the ICO to provide details of the number of investigations being conducted for breaches of the Data Protection Act 1998, which occurred before GDPR came into force in May 2018.
We also tried to determine whether this backlog has to be cleared before the ICO can start investigations over GDPR complaints. And, if not, how many investigations are currently underway for GDPR breaches.
In response, the ICO turned down our request, citing “Section 12 of the Freedom of Information Act 2000”, which states that a public authority is not obliged to comply with an FOIA request if the authority estimates that the cost of complying with the request would exceed the “appropriate limit”. The appropriate limit for the ICO is £450, which the regulator said would equate to 18 hours work.
The ICO explained that “whilst the information you have requested is likely to sit within our electronic case management system, this system is not set up to easily provide us with the type of information you have asked about”.
It added: “The system allows us to search for the cases we have dealt with in a number of different ways, such as by the unique reference number the case was given, the name and address of the person who contacted us and the name of any organisation that has been complained about. We can also search for cases on the basis of the broad nature or sector of the complaint, but we can only search on a limited number of fixed criteria.
“We are not able to complete a specific search for all open cases that relate to the Data Protection Act 1998 (DPA98). It is also important to point out that a case created after May 25 2018 may still be relevant to DPA98. In order to answer your request we would therefore need to go into every open case within the scope of your request to establish the relevant legislation.
“Having checked our case management system for broad figures I can confirm that there are over 10,000 open cases that could be in scope. Therefore, assuming that each search of each case would take approximately 2 minutes to complete (and it is certain that some searches would take much longer than that), this would equate to over 333 hours worth of searching. This is well in excess of the 18 hours which would accrue a charge of £450.
“It is for this reason, and in accordance with section 12 of the FOIA, that we are not obliged to comply with your request for information.”
ICO senior information access officer Adrian Hay added: “I appreciate this is not the response you had anticipated. I can however confirm we do not have to complete all DPA98 cases prior to dealing with GDPR complaints. Every complaint or report received is dealt with on a case by case basis, indeed some DPA98 matters are still being brought to our attention today.”