UK ICO's new approach to publishing details of complaints, breach reports and reprimands
Late in 2022 the ICO changed its policy on publishing details of information law complaints and concerns from the public, self-reported data breaches and reprimands issued against organisations by the ICO. Previously, these were not routinely published, but now data sets on all complaints, concerns and self-reported data breaches received since Q4 2020/21 have been made available online in a reusable format. All ICO reprimands issued from January 2022 onwards will also be published, unless there is a good reason not to. Those operating in the UK should be aware of the level of detail on their information handling practices that has become publicly available as a result of these changes, and the potential reputational and commercial impact this could have.
Complaints, concerns and self-reported data breaches
The ICO has added a dedicated page to its website containing a series of data sets on the information law complaints and concerns that it has handled since Q4 of 2020/21. These include information on complaints received from members of the public, data breaches self-reported by an organisation to the ICO and details of ICO investigations into cyber attacks and breaches of the Privacy and Electronic Communications Regulations. The ICO says that it has released these data sets retrospectively in line with its commitment to transparency and will continue to publish them on a quarterly basis.
The data sets include the name of the organisation that is the subject of the complaint or concern, the date and the outcome. Some also contain the relevant sector and details of the decision and the nature of the issue. Many of the incidents in the data sets resulted in no further action being taken, but they have still been included in the interests of transparency.
Organisations may assume that groundless complaints or breach reports made out of an abundance of caution will not be publicised, as long as that they do not result in formal enforcement action. However, the ICO's new approach means that even minor complaints or concerns will be in the public domain.
While the data sets are in Excel format and not particularly prominent on the ICO's website, they are easily available to anyone interested in digging deeper, including journalists, commercial counterparties conducting due diligence and competitors.
In late November 2022, the Information Commissioner announced that the ICO will now routinely publish on its website all of the reprimands it issues, except where there is a good reason not to do so. Reprimands since January 2022 have been published retrospectively.
A reprimand sets out the ICO's view that the UK GDPR has been infringed, without necessarily compelling the organisation to take any further steps. The register contains the formal reprimand letters sent by the ICO, including the organisation's name, details of the issue, the ICO's views, details of the reprimand and recommended actions. Certain details are redacted.
The Information Commissioner stated that the intention in publishing reprimands is for accountability to the public, to deter others from similar breaches and in some cases to indicate a potential "tariff", had a fine been issued.
The data sets will shine a light on numerous minor data-related issues encountered across a variety of sectors. They could provide a useful indicator of the stance that the ICO may take on a particular issue. However, their routine publication should remind organisations to take every interaction with the ICO seriously. Confirmation in a reprimand that the ICO considers that the UK GDPR has been breached could also play a part in any litigation brought by data subjects.
The publication of details of multiple data protection issues, however groundless or minor, will inevitably carry reputational risks and may lead to questions from those conducting due diligence or investigations into suppliers and other counterparties. Evidence of a number of minor breaches or complaints may raise particular concerns.
Article provided by INPLP member: Katie Hewson (Stephenson Harwood LLP, United Kingdom)
Dr. Tobias Höllwarth (Managing Director INPLP)