ICO sees jump in number of self-reported data breaches

According to the ICO's annual report for 2015/16 (92-page / 428KB PDF) there were 1,954 data protection incidents self-reported by organisations to the watchdog last year, up from 1,666 incidents the previous year.

Nearly half of the self-reported cases were notified by health bodies (46%). Local government bodies self-reported approximately 200 data protection incidents. More than half of all the self-reported data protection incidents related to data security issues, such as the loss or theft of paperwork, personal data sent to the wrong recipient and webpage security problems.

There was also a sharp rise in the number of incidents self-reported to the ICO under the Privacy and Electronic Communications Regulations (PECR), according to the report. In 2014/15 the number of self-reported PECR cases totalled 285, but this rose to 613 last year, it said.

A spokesperson for the ICO told Out-Law.com that the 115% rise in self-reported PECR cases could likely be attributed to the fact that it wrote to telecoms companies last summer to remind them of their obligations to notify personal data breaches under the regulations.

Under PECR electronic communication service providers face obligations to notify the ICO of personal data breaches they experience within 24 hours of becoming aware of the basic facts of that breach and must provide more details of the incidents as soon as possible thereafter.

Last year TalkTalk suffered a major data breach following a successful cyber attack on its systems.

The ICO's annual report also revealed that the total number of data protection concerns the watchdog received last year was 16,388, up more than 15% on the figure recorded the previous year. More than two-fifths of the complaints were about health bodies, general businesses, local government or lenders, it said.

The majority of data protection concerns raised concerned organisations' handling of subject access requests (SARs) or their disclosure of personal data, according to the report. It said 42% of data protection concerns logged were about SARs and that 18% concerned data disclosures. Concerns about inaccurate data, data security and the right to prevent data processing made up more than a quarter of the total number of concerns the ICO received.

In more than 3,000 cases the ICO required data controllers to take action to resolve the concerns raised, the report said. The ICO provided either compliance advice or general advice to organisations in approximately 2,000 cases and in about 80 cases an "improvement action plan" was agreed with organisations that had been the subject of concerns raised, it said.

The ICO also saw a rise in the number of concerns raised about the handling of freedom of information (FOI) requests last year. The number of FOI concerns it received was 5,181, up from 4,976 the previous year.

Issues about the handling of SARs dominated the data protection cases raised with the ICO in 2014/15 and in 2013/14 too, where half of all data protection cases it dealt with concerned SARs.