What action we've taken in Q1 2019-20 and what you can do to stay secure

Data security incidents, which are breaches of the seventh data protection principle or personal data breaches reported under the Privacy and Electronic Communications Regulations, are a major concern for those affected and a key area of action for the ICO. We have published this information to help organisations understand what we’re seeing and help them to take appropriate action.

Fines and enforcement notices

In Q1 2019-20, we fined:

We also issued the following enforcement notices:

  • Metropolitan Police Service - Enforcement notices served in June under the 1998 and 2018 Data Protection Acts for sustained failures to comply with individuals' rights in respect of subject access requests.
  • Her Majesty's Revenue and Customs - Her Majesty's Revenue and Customs (HMRC) issued with an enforcement notice for failing to get adequate consent to collect callers' personal data.

What you've reported to us

  • These figures are based on the number of reports of personal data breaches received by the ICO during Q1 2019-20. These figures are based on the number of reports submitted by the data controller, not necessarily the number of incidents.
  • Please note that the ICO's internal reporting system has changed since the previous report (Q2 2018-19), which may affect quarterly comparisons.

What you can do to stay secure

  1. Consider metadata when redacting information.
  2. Check all data has been redacted and is not reversible before releasing.
  3. Get someone to double check redactions.