In an important change in policy, the Information Commissioner’s Office (ICO) has begun to publish information about complaints made to it, the self-reporting of data security incidents and the outcome of its subsequent reviews and investigations. This should give companies pause for thought in terms of their dealings with the ICO now that they know that it will not treat what is disclosed as confidential.
In the past, the ICO’s approach has been to not publish information about data security incidents or complaints unless it has decided to conduct major investigations or audits or has reached a decision to issue final enforcement notices. For warnings or reprimands, whether to publicise has been a policy judgment based on the public interest. Until recently the assumption has been against doing so.
The ICO recently changed its stance on publishing reprimands. All reprimands issued by the ICO since January 2022 are now in the public domain. The rationale for this was explained in the Information Commissioner’s keynote speech at the National Association of Data Protection Officers’ conference on 22 November 2022.
However, without any fanfare or announcement, at the end of 2022 the ICO began to publish a much wider range of data regarding its complaints handling and investigations. This information includes the nature of the issue reported to the ICO, the identity of the company under review, and the outcome of the ICO’s review. Though that is much less information than is contained in a reprimand, it is still concerning in terms of the potential impact on a company’s reputation.
The information which the ICO is now publishing is disclosed by reference to categories, which include:
- Complaints from members of the public about breaches of data protection laws and regulations,
- Personal data breaches self-reported by the company concerned,
- Investigations carried out by the ICO which are not cyber-related,
- Investigations carried out by the ICO which are cyber-related, and
- Investigations undertaken by the ICO in relation to marketing calls, texts and emails under the Privacy and Electronic Communications Regulations.
The outcomes which the ICO includes in its published data range from no further action to informal action for an infringement or potential infringement, through to formal action by way of a reprimand, fine, or other enforcement action.
It isn’t clear how often the ICO will update these records. They are currently organised into quarterly reports (going back to Q4 of 2020/21). Whether the ICO will report them more regularly than this remains to be seen.
It seems that the new approach of the ICO is likely to have the following consequences:
- First, companies might now be more reluctant to self-report. It is often finely balanced as to whether self-reporting is necessary. The view sometimes taken is that if in doubt it is better to self-report. Now companies will need to weigh in the balance that if they do self-report, this will find its way into the public domain through the ICO’s new regime. This is likely to result in a reduction in the number of self-reports, which may seem like an unintended consequence. However, given the ICO’s stretched resources for case handling, and the high volume of self-reports where the outcome is “no action”, this may be an outcome the ICO is actually seeking.
- Second, we might see an increase in complaints from the public, particularly where the motivation for making a complaint is to cause a business trouble rather than where there is any real concern. Similarly, we suspect that potential complainants may use the threat of a complaint going public to persuade a company to pay compensation in order to resolve an issue before it is reported to the ICO. In other words, the mere possibility of making a complaint has the potential to become greater leverage than was previously the case. Again, we question whether that is desirable.
- Third, it seems to us that companies will be more inclined to challenge the ICO’s views if the ICO indicates that there is evidence for an infringement. In our previous experience, businesses have sometimes taken the view to agree to disagree with a finding made by the ICO. Now, they may be more inclined to challenge the ICO’s view or at least invest more in persuading the ICO that there has been no infringement. In terms of the ICO’s workload, it may not desire this outcome. It is worth noting that only enforcement actions listed in section 162(1) of the Data Protection Act (DPA) 2018 (which does not include reprimands, or informal action) can be appealed to the relevant court, the First Tier Tribunal. Short of judicial review, it means the only route for challenging such a decision is a request for an internal case review at a more senior level within the ICO.
- Finally, businesses will need to carefully consider the potential impact on their reputation if they know that information in the hands of the ICO (whether from a complaint or self-reporting) is now likely to enter the public domain. It seems odd that in circumstances where no infringement is found then information about the complaint or self-report may still be published. From the brief note issued by the ICO with these categories of data, it appears that the ICO feels justified in publishing the identities of the companies involved in these cases because “the public are concerned about how many concerns and incidents are reported to [the ICO]”. This doesn’t seem to justify publishing the identity of any such businesses, or indeed the basis for complaints made against it.
Regardless of these points, this important change in policy by the ICO needs to be factored into the way businesses manage complaints or data incidents from the very outset. The decision whether to self-report (within 72 hours of awareness of the potential data breach), for example, requires much more careful consideration.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, January 2023