The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Below are links to data sets which include information about the public concerns and organisations self-reported incidents we have dealt with. We will updates these reports every three months with information relating to work completed in the previous quarter.

We make this information available proactively in line with our commitment to being open and transparent about our work and in accordance with our Communicating regulatory activity policy.

The data sets are published in a reusable format and include:

  • Our reference number for the work completed;
  • the type of work and legislation it falls under;
  • the name of the organisation responsible for the processing of personal information;
  • the sector the organisation represents;
  • the nature of the issues involved;
  • the date the work was completed; and
  • the outcome following our consideration of the issues.

It is important to note that we are not publishing this information in league tables or after analysis. We predominantly use our casework management system to track and progress individual cases. We don’t use this data in isolation to decide whether regulatory action is appropriate in any particular case, but we might use it to help identify potential trends or to see the size and progress of our caseload. Each line in the data represents a piece of work undertaken to consider a potential contravention of the legislation we oversee.

The data provided reflects the data on the date it was extracted and can be subject to change over time.

Some cases may have more than one outcome, for example where we are given additional evidence which requires us to reopen a case and revise our view. However, all outcomes are recorded as related activities on a single case.

We should also explain that in some instances, cases are recorded against the data controller as the complainant named them when they raised their concern and in other instances they are recorded against a parent company where we are aware of that relationship and it is appropriate for us to do so.

We have published information about matters with the full range of outcomes, including those where, following our consideration, it was unlikely that the legislation we oversee had been contravened. This is because, whether or not there is any further action for an organisation to take, we know the public are legitimately interested in how many concerns and incidents are reported to us.

The data set includes descriptions of the outcome of our work. Please see below for the definitions of the outcomes we use.

If you have any questions about the information please see our Communicating regulatory activity policy.

Please note the data sets from October 2018 do not include information about the self-reported incidents that we have dealt with because they were recorded on a different case management system. We remain committed to disclosing the self-reported incidents, as we have done previously, and work is currently ongoing to allow us to publish them soon.