ICO sees huge rise in data protection enforcement cases

The number of new data protection enforcement cases taken on by the Information Commissioner’s Office in 2012/13 has surged by almost 50% compared to the whole of the previous year – with three months still to go, it has emerged.

The current year has so far seen 1,054 cases, compared to 712 in 2011/12. The just released figures for Q3 show a record number of new cases (424) for a quarter.

Potential reasons for the rises include the introduction in the NHS of routine reporting of all data security breaches to the ICO. Previously only serious breaches, involving particularly sensitive data or a high number of individuals, were reported.

Another factor in the growth in the ICO's caseload could be the impact of monetary penalties, with organisations aware that the watchdog looks favourably on those that self-report breaches rather than try to hide them.

Health has been the sector responsible for the highest number of enforcement cases in the year to date at 229, (covering privacy and electronic communications and freedom of information and environmental information in addition to data protection).

It was followed by local government (151 cases), general business (76), education (64) and central government (46). Solicitors and barristers were responsible for 27 cases.

In terms of the outcomes of enforcement work finished so far in 2012/13, the breakdown was as follows:

  • Investigated – remedial action identified: 786 cases;
  • Investigated – insufficient evidence to prosecute: 101;
  • Undertaking obtained: 14;
  • Monetary penalty notice served: 20;
  • Prosecuted: 2;
  • Enforcement notice served: 2.

The ICO has completed 875 cases so far in 2012/13, already up on the 872 for the whole of the previous 12 months.

To see the enforcement statistics, click here.

Philip Hoult