One of the key considerations for any organisation facing a data breach is to avoid publicity around the breach and any criticism from regulators which might reflect negatively on that organisation. It is with this in mind that we frequently get asked by clients whether dealings with the ICO will be kept confidential, unless the ICO deems a fine or sanction is appropriate.
Historically, the ICO has ensured that its dealings with organisations in relation to their reported breaches are kept confidential. This in turn helps encourage early and open reporting to the ICO, even when notification thresholds are not met.
However, the ICO has now entered an era where it will publish the names of any organisation notifying a data breach or cyber incident. The outcome of the particular breach will determine the extent and justification of the publication.
Details of the majority of breach and cyber incidents are now published in one of three data sets available at the following page. There are three data sets available:
- Self-reported data breaches – which provides the name for any organisation that has reported a data breach whereby the ICO determined no further action was required.
- Data breaches – which the ICO either (i) asked further questions but did not progress to investigate; or, (ii) investigated and considered regulatory action.
- Cyber investigations – the same as data breaches but for cyber incidents.
The ICO has provided historic data as far back as Q4 2021.
The ICO states that reasons for the provision of these data sets is in line with the ICO’s commitment to being open and transparent about its work and in accordance with our Communicating regulatory activity policy. Interestingly, this policy dates back to 2019, prior to the practice of publishing these data sets. One might question why, therefore, the ICO felt it was not necessary to publish these data sets earlier.
The answer may lie in a recent speech from John Edwards which revealed more about this “new” strategic approach to enforcement. In his speech to the National Association of Data Protection Officers (NADPO) annual conference on 22 November 2022, he drew references to commentary that the ICO was not “enforcing” because of the few fines it hands out and the low level of those fines. Mr Edwards was clear that the number and quantum of fines is not the measure of the ICO’s success or failure, nor of its impact. With that position, he announced that the ICO would be changing its approach from not publishing reprimands, to one where the ICO will publish all reprimands from January 2022 unless there is good reason not to. Our team has advised many clients in relation to objections to ICO publications.
On 6 December 2022, the ICO published all of its reprimands from January 2022 at the following page. This is on top of all the above published data sets. The reprimand data set publishes the name of the organisation and the status of the regulatory outcome, and it provides the finer details behind the reprimand. The status of the reprimand reflects whether an organisation has completed the required actions or if it is still ongoing. To date, the ICO has published 28 reprimands on its website since January 2022.
What this all means that an organisation should no longer expect the ICO to keep the fact of a breach confidential, and instead expect to be named in the data set published by the ICO on its website. Moreover, it will face even greater publicity in the event that it receives a reprimand (i.e. not only a fine). These developments highlight the importance of taking early advice on breach notification thresholds, and throughout subsequent dealings with the ICO, in order to avoid potentially damaging publicity.