Increased transparency: important changes to information made publicly available by the UK’s ICO

• United Kingdom

• Financial services disputes and investigations

12-01-2023

All organisations that process personal data should be aware of recent changes to the way the UK’s Information Commissioner’s Office (“ICO”) publishes information:

• first, the ICO has started publicly publishing details of its reprimands (that is, formal decisions made by the ICO that an organisation has infringed data privacy law, along with recommended further actions), backdated to January 2022. Previously, the ICO only published details of its more stringent actions, e.g. fines it had levied and enforcement notices (“ENs”) which compelled entities to take specific actions. These reprimands, although relatively limited in number to date (under 30), contain significant detail and are likely to be of interest to both claimant law firms and journalists in the same way that fines and ENs are. Reprimands can be issued by the ICO following any sufficiently serious GDPR infringement, for example, a cyber security incident involving personal data or other GDPR personal data breach
• second, the ICO has started publicly publishing details of data protection complaints (whether they are upheld or not), actual or potential data breaches which have been self-reported by controllers (dealt with by the ICO’s personal data breach team, but not referred to the ICO’s investigations department for possible regulatory action), civil investigations (including “incidents” which were not progressed to a full investigation) and cyber investigations, each published in Excel spreadsheets going back to Q4 2020/2021. While there is not much detail in these spreadsheets, for each entry they set out the name of the relevant controller and which Article of the GDPR was infringed or allegedly infringed (so that, for example, complaints about data subject access requests under Article 15 GDPR are easy to spot), and are therefore also likely to be of interest to claimant law firms and journalists who it’s fair to assume will be scanning them regularly

While these developments are in line with the UK ICO’s push toward transparency, and the publishing of reprimands at least was forewarned in a speech by John Edwards – the UK’s Information Commissioner – in November 2022, they were introduced quietly at the end of 2022. Going forwards, these changes will need to be taken into account by controllers when considering whether to self-report potential data breaches (i.e. before there’s a reasonable degree of certainty that there has been a data breach): self-reporting a borderline data breach “just in case” may no longer be an attractive option if that report will subsequently be made public. We would emphasise, however, that clear (i.e. “non-borderline”) data breaches should continue to be reported.