ICO to focus resources on investigating repeat or serious data protection breaches

The Information Commissioner's Office (ICO) is consulting on a new approach to how it manages data protection complaints. Our Data Protection team take a closer look at the proposed changes.

13 January 2014

The Information Commissioner's Office (ICO) is consulting on a new approach to how it manages data protection complaints.

Why the changes are required

High profile stories and data protection breaches being reported in the media have made data protection a hot topic in the past few years. Increasing public awareness has seen a rise in individuals raising complaints with the ICO which dealt with over 40,000 enquiries last year. Only 35 per cent of the complaints received in 2012/13 resulted in an assessment that the Data Protection Act had been contravened.

The proposed changes are designed to increase efficiency, and complaints will be investigated only when there is a clear public benefit.

The objective is to limit ICO involvement by encouraging organisations and individuals to engage with each other directly. Complaints should be dealt in the first instance by the organisation against who the complaint is made. The ICO can then focus its resources on dealing with the organisations which have serious or repeat complaints made against them.

The consultation is available online and encourages responses from all interested parties. The deadline to respond to the consultation is 31 January 2014. The changes are intended to be implemented on 1 April 2014.

What the proposed changes are:

  • Dealing only with relevant matters: The ICO wishes to avoid being drawn into disputes where data protection issues are only peripheral.
  • Greater role for businesses: Businesses are encouraged to deal effectively with concerns raised about data protection, engage the public and explain data protection practices. It is not clear at this stage what level of engagement businesses will be required to undertake. The changes may result in organisations needing to set aside additional resources and management time.
  • Proportionality of response: Organisations will notice a change in how they are contacted by the ICO, which will employ a variety of approaches rather always seeking to assess compliance. The consultation does not set out a clear process which the ICO will follow when considering what is proportionate. The ICO will then determine whether the complaint is a one off or demonstrates poor practice by the organisation.
  • Processing concerns: The ICO has committed to improving its systems for capturing and analysing information. Action will be taken where there is an identified opportunity to improve practice and organisations will be asked to explain their actions to the ICO in potentially serious cases.
  • Transparency: In addition to publication of undertakings and enforcement action, the ICO now plans to publish the number of concerns raised about organisations on its website. It has also committed to publishing regular reports which will highlight improvements achieved and other information to add context to the figures published.

If you would like further information, please contact Andrew Dunlop, Chris O'Connell or your usual Burges Salmon contact.

Key contact

Andrew Dunlop

Andrew Dunlop Partner

  • Head of Outsourcing
  • Head of Technology
  • Head of Data Protection

Subscribe to news and insight

Burges Salmon careers

We work hard to make sure Burges Salmon is a great place to work.
Find out more