The Information Commissioner’s Office might talk a good game when it comes to being tough and protecting consumers but its latest figures reveal that despite more than 41,000 data protection complaints in the past 12 months, just 0.02% went on to face regulatory action.
The figures, contained in the ICO Annual Report 2020/22, are likely to reinforce critics of the ICO, many of whom believe the regulator is not tough enough.
In the report, the ICO insists: “We continued to deal with issues that people feel are important to them, in considerable volume. But we did not see a major rise in data protection related issues being shared with us, as the country moved to a new normal and a return to business as usual.
“We remained active throughout the year, and it was clear that the vast majority of organisations had adapted to new working practices and continued to take their data protection obligations seriously.”
In total, the regulator received 36,343 individual data protection cases, compared to 36,607 in 2020/21, and 38,514 2019/20. However, due to the fact that many overlap the reporting period, the ICO said it provided “outcome decisions” in over 41,088″ which was “more casework than ever before”.
Even so, of the 15,000 outcome decisions, 63.47% led to advice being given, 34.48% led to “informal action”, 0.04% led to an investigation and just 0.02% triggered regulatory action.
For personal data breaches, meanwhile, the hit rate was slightly better; ICO received just over 9,500 complaints, and, of those, 9.6% went on to be investigated, the rest did not meet the criteria.
There are, however, no details on the outcomes of the 105,438 complaints it received under Privacy in Electronic Marketing Regulations (PECR). The only comment it would make was that: “We started a number of investigations during the year in order to protect the public and disrupt and punish organisations seeking to send or make unlawful marketing messages and calls.”
Across all the legislation the ICO regulates, during 2021/22 it imposed a total of £3.554m in monetary penalties, with a further £1.137m which is still under appeal and not recognised.
Within the total monetary penalties yet to be collected, £10m relates to the British Airways GDPR and £6.1m for Marriott Hotels, both of these are being paid “on tick”.
However, at the year end, the monetary penalties still outstanding total £17.9m.
Commissioner John Edwards claims: “This document reflects a year of action and progress in supporting information rights in the UK, and presents a body of work that the ICO can be proud of.
“As I joined as Commissioner midway through the period covered by this report, I read much of it as you do, reflecting as an interested observer. And what shone through to me from every page is that 2021/22 was a year of action and impact.”
Related stories
ICO forced to slash fine for DSG after losing appeal
Firms ‘face higher costs, not savings, under data laws’
Govt claims business will save £1bn from new data laws
Data Reform Bill back on track in Tory leadership race
ICO regulatory masterplan barely raises an eyebrow
ICO vows to get tough on predatory calls and FoI mess
Axe data fines for charities, too, say agency chiefs
Industry claims victory as Data Reform Bill is revealed
ICO claims FoI is a priority as criticism of delays grows
ICO courts industry as John Edwards takes the reins