The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

On this page we publish data sets which include information about the public concerns and organisations self-reported incidents we have dealt with.

We make this information available proactively in line with our commitment to being open and transparent about our work and in accordance with our Communicating regulatory activity policy.

The data sets are published in a reusable format and include:

  • Our reference number for the work completed;
  • the type of work and legislation it falls under;
  • the name of the organisation responsible for the processing of personal information;
  • the sector the organisation represents;
  • the nature of the issues involved;
  • the date the work was completed; and
  • the outcome following our consideration of the issues.

It is important to note that we are not publishing this information in league tables or after analysis. We predominantly use our casework management system to track and progress individual cases. We don’t use this data in isolation to decide whether regulatory action is appropriate in any particular case, but we might use it to help identify potential trends or to see the size and progress of our caseload. Each line in the data represents a piece of work undertaken to consider a potential contravention of the legislation we oversee.

The data provided reflects the data on the date it was extracted and can be subject to change over time.

Some cases may have more than one outcome, for example where we are given additional evidence which requires us to reopen a case and revise our view. This means that a case which appears on one dataset with one outcome may later be reopened and appear again on a subsequent dataset with a different outcome. Therefore data cannot be aggregated over a series of datasets and cannot be used in conjunction with data provided in other reports.

We should also explain that in some instances, cases are recorded against the data controller as the complainant named them when they raised their concern and in other instances they are recorded against a parent company where we are aware of that relationship and it is appropriate for us to do so.

We publish information about matters with the full range of outcomes, including those where, following our consideration, it was unlikely that the legislation we oversee had been contravened. This is because, whether or not there is any further action for an organisation to take, we know the public are legitimately interested in how many concerns and incidents are reported to us.

Cases dealt with by our investigations department are managed using a separate system from other cases and so the format of the reports produced for those cases is different.

If you have any questions about the information please see our Communicating regulatory activity policy.

Data protection complaints

Data sets of complaints we have handled from members of the public about data protection concerns.

Complaints under s.50 of the Freedom of Information Act 2000

Data sets of complaints we have handled from members of the public under s.50 of the Freedom of Information Act 2000 (FOIA) about the handling of requests for information made to public authorities under the FOIA or Environmental Information Regulations 2004 (EIR).

Self-reported personal data breach cases

Data sets of instances where data controllers have self-reported potential personal data breaches to the ICO.

Civil investigations

Data sets of cases involving the investigation of potentially serious breaches of personal data resulting from causes other than cyber related attacks.

Cyber investigations

Data sets of cases involving the investigation of potentially serious breaches of personal data resulting from cyber related attacks.

Investigations under the Privacy and Electronic Communications Regulations 2003

Data sets of cases involving the investigation of potentially serious breaches of privacy rights in relation to electronic communications, such as marketing calls, texts and emails, under the Privacy and Electronic Communications Regulations 2003 (as amended) (PECR).

Financial Recovery Unit investigations

Data sets of cases handled by the Financial Recovery Unit, involving the management and recovery of Civil Monetary Penalties issued for breaches of the Data Protection Act 2018, Privacy and Electronic Communications Regulations 2003 and Network and Information Systems Regulations 2018 and co-ordinating action relating to Proceeds of Crime Act opportunities.