The ICO is a ‘prescribed person’ under the Public Interest Disclosure Act 1998. This means that whistleblowers are protected when disclosing certain information to us.
The Prescribed Persons (Reports on Disclosures of Information) Regulations 2017 require prescribed persons to report annually on whistleblowing disclosures made to them.
We took further action on 14 of these disclosures. Such actions may include:
- referral to appropriate departments within the ICO for further consideration;
- referral to external organisations (including other regulators and law enforcement); or
- consideration for use of our enforcement powers.
Between 1 April 2022 and 31 March 2023, this further action on the 14 disclosures resulted in 14 referrals to various departments overall.
The outcomes of these referrals were that:
- our investigations teams took 13 disclosures into consideration; and
- we considered one disclosure for non-payment of the data protection fee.
After review and assessment, 208 of the 225 disclosures resulted in no further action taken at that time. At the time of writing, we are currently assessing three disclosures from this reporting period for potential action.
After receiving a concern, we decide how to respond in line with our regulatory action policy. In all cases, we look at the information provided by whistleblowers alongside other relevant information we hold. For example, if an organisation reports a breach to us, we may use information provided by a whistleblower to focus our follow-up enquiries. More broadly, we may use information from whistleblowers to focus our liaison and policy development within a sector, using the information to identify a particular risk or concern.