The ICO exists to empower you through information.


This year has seen the biggest upgrade in UK data protection laws for a generation. The General Data Protection Regulation came into effect on 25 May, along with the Data Protection Act 2018.

We launched an investigation into the use of data analytics for political purposes; one of the largest of its kind by a Data Protection Authority. We issued our maximum fine of £500,000 to Facebook, under the old data protection laws, for serious breaches of data protection law.

Our annual track research found that most UK citizens still don’t trust organisations with their data. Trust and confidence is lowest amongst social media companies, with only one in seven (15%) people stating that they have trust and confidence in them.

We marked Data Protection Day by launching the inaugural Data Protection Practitioner Award for Excellence in Data Protection at our 11th annual conference award. This recognises excellence in the field of information rights and those practitioners who go above and beyond when it comes to data protection.

Elizabeth Denham, the UK’s Information Commissioner was elected Chair of the International Conference of Data Protection and Privacy Commissioners (ICDPPC). It is the leading global forum of data protection and privacy authorities, encompassing more than 120 members across all continents, working throughout the year on global data protection policy issues

All five current and former commissioners met for the first time at a dinner in Manchester in November. All the Commissioners spoke about the importance of international connections, keeping abreast of technology and commented on the work of the dedicated and creative staff who worked with them over the years.


We fined eleven charities a total of £138,000 for breaching the Data Protection Act by misusing donors’ personal data. The charities were investigated by the ICO as part of a wider operation sparked by reports in the media about repeated and significant pressure on supporters to contribute.

We launched our first ever Grants Programme for new, independent research into data protection and privacy enhancing solutions.

Our Big Data, AI, Machine Learning and Data Protection report was crowned winner of a Global Privacy and Data Protection Award.

We opened a formal investigation into the use of data analytics for political purposes.


The Independent Commission on Freedom of Information published its review of the FOI Act.

It concluded “that the Act is generally working well, and that it has been one of a number of measures that have helped to change the culture of the public sector”.

Elizabeth Denham, former Commissioner at the Office of the Information and Privacy Commissioner for British Columbia, Canada, succeeded Christopher Graham as Information Commissioner.


A law change was introduced making it easier for the ICO to issue fines to companies that break the law around nuisance calls and texts. The Government removed the requirement for the ICO to prove substantial damage or distress before the ICO can issue a fine.

Christopher Graham said: “The enhanced powers granted to the ICO represent a vote of confidence in the organisation’s policing of data protection. …The change in the law will help us to nail more of these merchants of menace.”

The ICO would go on to issue £2million of fines for nuisance calls and texts in the first year of the new law.


Christopher Graham was reappointed as Information Commissioner by the Ministry of Justice for another two years.


We launched a new project aimed at embedding information rights into the UK education systems.


At the start of the year the Information Commissioner, Christopher Graham, was elected Vice Chair of the Article 29 Working Party.

In November, we served our first two monetary penalties under The Privacy and Electronic Communications Regulations, totalling £440,000, to the owners of a marketing company responsible for millions of unlawful spam texts.


We launched our ‘Data sharing code of practice’ at the House of Commons in May.

In November, we welcomed our new powers, enabling the ICO to impose monetary penalties of up to £500,000 for serious breaches of the Privacy and Electronic Communications Regulations.


In April, new powers to issue monetary penalties came into force, allowing the ICO to serve notices requiring organisations to pay up to £500,000 for serious breaches of the Data Protection Act.

Christopher Graham commented, "I remain committed to working with voluntary, public and private bodies to help them stick to the rules and comply with the Act. But I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law.”

The ICO also received additional audit powers. Assessment Notices – compulsory audit notices – could now be issued to organisations that are in significant risk of compromising personal data, but refuse to cooperate with the ICO.

Ken Macdonald was appointed Assistant Commissioner for Northern Ireland, in addition to his role as Assistant Commissioner for Scotland.

In October, we served our first two monetary penalties against the private company A4e and Hertfordshire County Council for serious breaches of the Data Protection Act.


In June, Richard Thomas was appointed a CBE for public service.

Christopher Graham, former Director General of the Advertising Standards Authority, succeeded Richard Thomas as Information Commissioner.

In October, the ICO adopted a new mission statement: "The ICO’s mission is to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals."

In December, the ICO gained some additional, limited responsibilities under the INSPIRE Regulations.


Deputy Commissioner Francis Aldhouse retired in January. In June, he was awarded a CBE for his work over 21 years.

In January, David Smith, who joined the Information Commissioner’s Office as an Assistant Commissioner in 1990, became the new Deputy Commissioner with lead responsibility for data protection.


On 1 January, the Freedom of Information Act 2000 was fully implemented. The Act was intended to improve the public’s understanding of how public authorities carry out their duties, why they make the decisions they do, and how they spend their money. Placing more information in the public domain would ensure greater transparency and trust, and widen participation in policy debate.

The Environmental Information Regulations came into force at the same time. The Commissioner was given powers to promote and enforce the Regulations.

In August, Ken Macdonald succeeded Robert Turnbull as Assistant Commissioner at the Scotland office.


As a positive response to devolution and to provide direct support on local information issues, the ICO set up regional offices in Northern Ireland, Scotland and Wales.

The Assistant Commissioners appointed for each area were Marie Anderson for Northern Ireland, Robert Turnbull for Scotland, and Anne Jones for Wales.


In June, Elizabeth France was made a CBE for services to data protection.

Richard Thomas succeeded Elizabeth France as Information Commissioner in December. On beginning his new role Richard Thomas commented, “The heart of my task is to promote good practice amongst all those who handle official or personal information. The best way to achieve this is to get organisations to see that this is in their own best interests. But this must be backed up by a firm and well-targeted use of legal powers where necessary.”


In January, the office was given the added responsibility of the Freedom of Information Act and changed its name to the Information Commissioner’s Office.

Graham Smith was appointed Deputy Information Commissioner with responsibility for freedom of information.

In March, data protection laws were updated to keep pace with the latest communications technologies. The introduction of a new EU Directive on Privacy and Electronic Communications (2202/58/EC) led to the Privacy and Electronic Communications Regulations 2003 which came into effect in December.


The majority of the Data Protection Act comes into force. The name of the office was changed from the Data Protection Registrar to the Data Protection Commissioner. Notification replaced the registration scheme established by the 1984 Act.

Revised regulations implementing the provisions of the Data Protection Telecommunications Directive 97/66/EC came into effect. The Commissioner became responsible for enforcing the regulations. Between May 1999 and 2000, the office received over 650 complaints under those regulations.


The Data Protection Act 1998 received Royal Assent and the provisions of the Data Protection Telecommunications Directive (97/66/EC) relating to direct marketing by phone and fax came into effect.

The first guidance on the 1998 Act, ‘Data Protection Act 1998 – An Introduction’ was published by the office and a series of seminars on the new law were arranged.


The office conducted its first research to assess its own guidance.

With internet use increasing, the office’s website was revised to ensure it was flexible for future development.

The office set up a notification helpline to assist with queries and help data controllers with forms.


DUIS, the Data User Information System, was implemented and the Register of Data Users was published on the internet. The number of new registrations totalled around 213,000. The office was represented at the Working Party of Data Protection Authorities which was set up under Article 29 of the Directive.


The Registrar set up an informal advisory board.

The EU formally adopted the General Directive on Data Protection.

The office began development of a new IT system for registration and complaints handling.


Eric Howe produced his last report as the Data Protection Registrar and retired in September.

Elizabeth France became the second Data Protection Registrar. At this time there were approximately 100 staff at the office dealing with data protection matters for the whole of the UK.

The office produced its first mission statement: "We shall promote respect for the private lives of individuals and in particular for the privacy of their information by:

  • implementing the Data Protection Act 1984;
  • influencing national and international thinking on privacy and personal information."


The first series of free introductory seminars were held at venues throughout the UK. Two specialist seminars for the public sector and finance industry were also held in London.

The Registrar hosted the Fifteenth International Conference of Data Protection and Privacy Commissioners with the theme ‘All about people’.


The registration fee increased to £75 for three years.

Public research indicated that 78% considered the protection of personal privacy a very important issue.


The European Union published its draft directive on data protection and the Data Protection Tribunal had its first five hearings and made its first decisions.


The fee for registration increased to £56 for three years.

The Registrar carried out his first prosecution. The number of prosecutions that year totalled eight.


The registration fee increased to £40 for three years and the number of registration applications received rose to 150,000.


The Data Protection Act came fully into force on 11 November.

The Registrar’s Investigations department was formed.

The first public version of the register on microfiche was placed in 170 libraries. However, it was withdrawn from public libraries in June 1990 and replaced by an index to the register, published in book form.


The enquiry line handled around 66,000 calls throughout the year.

The fee for registration was set at £22 for three years. The Registrar was receiving around 60 complaints a year.


Eric Howe’s office of about 10 people moved in April to Springfield House in Wilmslow, Cheshire. By the end of the year the Data Protection Registrar employed around 80. Around 70 of those were involved in running the registration scheme.

An enquiry line was set up, with around 10 people providing advice and responding to publication requests.

In the first year of opening the office received more than 10,000 telephone and postal queries. The number of complaints totalled 11.


Eric Howe became the first Data Protection Registrar in September, assisted by a small office based in Bracken House, Charles Street, Manchester.

The Registrar was required to oversee the new Act and to set up a register of data users and computer bureaux, which would later become the register of data controllers.

He was given powers to reject registration applications and to remove data users and bureaux from the register. Notices could be issued to enforce compliance with the principles.

The Registrar had supporting duties such as promoting understanding of the Act, considering complaints, disseminating publicity and encouraging sectoral codes of practice. Individuals could obtain copies of information held about them and had certain limited rights to compensation for damage arising from the loss or disclosure of data. Users and computer bureaux, but not individuals, had rights to appeal to the newly created Data Protection Tribunal.