top of page
  • rradar

Information Commissioner’s Office publishes 2019–20 annual report

Updated: Feb 16

Data security is a very important issue for every organisation. Those who fail to effectively tackle it run the risk of incurring significant sanctions from the data regulator, the Information Commissioner’s Office (ICO).

The ICO is the independent regulatory dealing with the:

  • Data Protection Act 2018

  • General Data Protection Regulation (GDPR)

  • Privacy and Electronic Communications (EC Directive) Regulations 2003

  • Freedom of Information Act 2000

The ICO has just released its annual report for 2019-2020 which reveals the action that it has taken this year against organisations who have breached the law.


From 25th May 2018, the ICO was granted new enforcement powers; these included the ability to fine offenders 20 million Euros (or the equivalent in sterling) or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher, for breaching data protection laws.

According to the report, a total of 38,514 data protection complaints were received. This was slightly lower than 2018/19’s figure of 41,661. The ICO closed 39,860 cases (up from 34,684 in 2018/19).

Regulatory action was taken 236 times in response to breaches of legislation. That action included:

  • 54 information notices

  • eight assessment notices

  • seven enforcement notices

  • four cautions

  • eight prosecutions

  • • 15 fines

Where did most complaints originate?

A breakdown of the sectors generating the most complaints shows the following:

  • 15% General business

  • 8% Local government

  • 8% Health

  • 8% Internet

  • 8% Lenders

  • 4% Policing and criminal records

  • 5% Central government

  • 4% Retail

  • 4% Education

  • 3% Telecoms

What reasons generated most complaints?

Figures in the report show that the most common reasons for complaints were:

  • 46% Subject Access

  • 13% Disclosure of data

  • 8% Right to prevent processing

  • 9% Security

  • 6% Inaccurate data

  • 4% Obtaining data

  • 3% Fair processing information not provided

  • 2% Use of data

  • 1% Retention of data

  • 1% Excessive/irrelevant data

What are the consequences of a breach?

The ICO lists all fines and prosecutions on its website. These are the ones recorded over the past year since August 2019.

  • In August 2019, a boiler replacement company was fined £160,000 by the ICO for making spam calls to people registered with the Telephone Preference Service (TPS). The ICO also issued an enforcement notice ordering the company to stop its illegal marketing activity.

  • In August 2019, a finance company was issued with an enforcement notice for failing to respond to a subject access request.

  • In September 2019, a home improvements company was fined £150,000 and received an enforcement notice after making unsolicited marketing calls to individuals registered with the TPS.

  • In December 2019, a pharmacy was fined £275,000 for failing to ensure the security of special category data. The pharmacy left approximately 500,000 documents in unlocked containers at the back of its premises, including names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people.

  • In December 2019, a former officer at a local council was prosecuted for accessing social care records without authorisation. She was fined £450, ordered to pay costs of £364 and a victim surcharge of £45.

  • In December 2019, a former officer at a local authority was prosecuted for accessing Social Care records without authorisation. She received a 6-month conditional discharge and was ordered to pay costs of £700 and a victim surcharge of £20.

  • In January 2020, a former social worker was prosecuted for passing the personal information of service users to a third-party provider for local authority young person placements. He was fined £483 and ordered to pay costs of £364.08 and a victim surcharge of £48

  • In January 2020, a retail company was fined £500,000 after a ‘point of sale’ computer system was compromised as a result of a cyber-attack, affecting at least 14 million people.

  • In March 2020, a marketing company was fined £171,000 for making unsolicited direct marketing calls.

  • In March 2020, a Town Council clerk was prosecuted for intentionally blocking records with the intent to prevent disclosure. She was fined £400, ordered to pay costs of £1,493 and a victim surcharge of £40.

  • In March 2020, an international airline was fined £500,000 for failing to protect the security of its customers’ personal data.

  • In March 2020, a company was issued with an enforcement notice after making more than 193 million automated nuisance calls and was also fined the maximum of £500,000.

  • In July 2020, a price comparison and technology company was fined £90,000 for a contravention of Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003.



Looking for more advice or guidance on this matter, or any other business-related issue?

rradarstation gives you 24/7 access to guidance, videos and on demand webinars answering frequent questions and downloadable templates to use in the day-to-day running of your business, each written and verified by our legal professionals. You will find the answers you are looking for at rradarstation.

Need to contact us?

For all media related enquiries, please contact us on

bottom of page