The ICO is a ‘prescribed person’ under the Public Interest Disclosure Act 1998. This means whistleblowers are protected when disclosing certain information to us.
Receiving information from whistleblowers is an important part of our understanding the views and concerns of the public and allowing us to safeguard and empower people, in line with our ICO25 commitments.
The Prescribed Persons (Reports on Disclosures of Information) Regulations 2017 require prescribed persons to report annually on whistleblowing disclosures made to them.
There were 252 whistleblowing disclosures made to us about external bodies from 1 April 2023 to 31 March 2024. This compares with 225 reported in 2022/23.
We recorded all information provided and used it to develop our overall intelligence picture. We took further action on 44 of these disclosures. Such actions may include referral to appropriate departments in the ICO for further consideration; referral to external organisations (including other regulators and law enforcement); and consideration for use of our enforcement powers.
Further action on the 44 disclosures (2022/23: 14) resulted in 57 referrals to internal ICO departments, and five to external regulators or law enforcement agencies for intelligence purposes.
The outcomes of the internal referrals were:
- 21 disclosures were taken into consideration by the Investigations department.
- 24 disclosures were referred for further consideration to other ICO departments.
- Seven disclosures were considered for non-payment of the data protection fee.
- Five disclosures were referred to external regulators or law enforcement agencies for intelligence purposes only.
After review and assessment, 206 of the 252 disclosures resulted in no further action at that time (2022/23: 208 of 225). At the time of writing, we are assessing the remaining two disclosures from this reporting period for potential action.
After receiving a concern, we decide how to respond in line with our Regulatory Action Policy. In all cases, we look at the information provided by whistleblowers alongside other relevant information we hold. For example, if an organisation reports a breach to us, we may use information from a whistleblower to focus our follow-up enquiries. More broadly, we may use information from whistleblowers to focus our liaison and policy development in a sector, using the information to identify a particular risk or concern.