The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

The ICO is a ‘prescribed person’ under the Public Interest Disclosure Act 1998, meaning that whistleblowers are provided with protection when disclosing certain information to us.

The Prescribed Persons (Reports on Disclosures of Information) Regulations 2017 require prescribed persons to report annually on whistleblowing disclosures made to them.

The number of whistleblowing disclosures made to us in respect of external bodies during the period 1 April 2020 to 31 March 2021 was 309. All information provided was recorded and used to develop our overall intelligence picture, in line with our Information Rights Strategic Plan 2017-2021.

Further action was taken on 69 of these disclosures. This may result in referral to appropriate departments for further consideration, referral to external organisations (including other regulators and law enforcement) or consideration for use of our enforcement powers. After review and assessment 240 of the 309 disclosures resulted in no further action taken at that time.

During the period 1 April 2020 to 31 March 2021 further action on the 69 disclosures resulted in 82 referrals to various departments overall; 11 disclosures resulted in referrals to two departments; one disclosure resulted in referral to three departments. 

The outcomes of these referrals:

  • 44 disclosures were taken into consideration for the investigations.
  • 13 disclosures were referred to Advice Services and the Personal Data Breach Team including providing advice to the whistleblower and where it would be more appropriate for the matter to be raised as a complaint.
  • five disclosures were considered for non-payment of the data protection fee.
  • three disclosures were referred to other departments for various actions.
  • 16 disclosures were considered for tactical and strategic assessment.
  • one disclosure was referred to an external agency.

After receipt of a concern, we will decide how to respond in line with our Regulatory Action Policy. In all cases, we will look at the information provided by whistleblowers alongside other relevant information we hold. For example, if an organisation reports a breach to us, we may use information provided by a whistleblower to focus our follow-up enquiries. More broadly, we may use information from whistleblowers to focus our liaison and policy development within a sector, using the information to identify a particular risk or concern.