38,000 data complaints received by ICO last year

July 22, 2020

The Information Commissioner’s Office has published its annual report for 2019-20, covering what the Information Commissioner has called a “transformative period” for privacy and data protection and broader information rights. Due to the period covered by the report it does not reflect the impact of COVID-19 although the ICO said:

”The digital evolution of the past decade has accelerated at a dizzying speed in the past few months. Digital services are now central to how so many of us work, entertain ourselves and talk to friends and family.”

Supporting and protecting the public and organisations

During the period covered by the report, the ICO:

  • received 38,514 data protection complaints;
  • closed 39,860 data protection cases (up from 34,684 in 2018/19);
  • received 6,367 freedom of information complaint cases; and
  • conducted over 2,100 investigations.

It took regulatory action 236 times in response to legislative breaches. That included 54 information notices, eight assessment notices, seven enforcement notices, four cautions, eight prosecutions and 15 fines.  

The Age Appropriate Design Code, introduced by the Data Protection Act 2018, was published in January. When it comes into full effect in August 2021, it will provide guidance to businesses to comply with current information rights legislation. 

The ICO intervened in the High Court case on the use of facial recognition technology by the South Wales Police and issued the first Commissioner’s Opinion in response.  

The ICO has also published guidance for businesses and organisations on data protection and Brexit implementation to help compliance with the law once the UK leaves the EU.

It also launched a new freedom of information strategy setting out how to create a culture of openness in public authorities.  It also commits the ICO to making the case for reform of the access to information law as set out in its 2019 Outsourcing Oversight report.

It settled a case with Facebook, which had been brought under the Data Protection Act 1998.


The ICO’s regulatory sandbox service facilitated it working with a number of innovative organisations of all sizes to explore new data uses in a safe way while helping to ensure their customers’ privacy. It also received additional resources from the government’s regulators innovation fund to set up a hub with other regulators to streamline and reduce burdens on businesses and public services using data. Its research grants programme has encouraged innovative research into privacy and data protection issues.

In January, it launched a consultation on an AI framework to allow the auditing and assessment of the risk associated with AI applications and how to ensure their use is transparent, fair and accountable.

Strategic threats

The ICO’s Intelligence Strategy to 2021 sets out how it uses tactical and strategic intelligence to drive activity across the ICO. A key part of this is its new Strategic Threat Assessment which shapes its regulatory work and helps it set priorities. It has identified threats about: cyber security; children and vulnerable adults; surveillance and associated technologies; AI; public sector digital transformation; advertising technology; and invisible processing.


On a global scale, it chairs the Global Privacy Assembly, driving forward the development of the assembly into an international network that can have an impact on key data protection issues across the year. This helps to protect UK citizen’s personal data as it crosses borders and helps UK businesses operating internationally. The ICO is no longer a full member of the European Data Protection Board following the UK’s departure from the EU but it has worked on building relationships with European regulators. It also chairs the OECD Data Governance & Privacy Working Group.