26 June 2020
Ms Srinidhi Vasudevan
By email only: email@example.com
Dear Ms Vasudevan,
We write in response to your recent request for information, which we
received on 30 May 2020. We are now in a position to provide a response.
We have dealt with your request in accordance with your ‘right to know’
under section 1(1) of the Freedom of Information Act 2000 (FOIA).
In your correspondence you asked us: I would like to know the following details about security/data breaches
reported to the ICO by organisations from February 01, 2020 (COVID19
1. How many breaches were reported?
2. For the reported breaches, could you please provide the details
including the name of the organisation, the industry/sector, the
financial impact and the remedial actions taken?
We can confirm that we hold information in scope of your request.
In relation to your first request, between 1 February and 30 May 2020 the
ICO received 2950 breach reports from controllers.
In relation to your second request, of the 2950 breach reports received,
2237 have been closed as requiring no remedial action but advice given.
Our assessment or investigation of the remaining 713 breach reports has
not yet concluded – therefore there are no ‘remedial actions’ or outcome
that we can report on.
The number of breach reports by sector, for the same period is provided
in the following table:
Charitable and voluntary
Education and childcare
Finance, insurance and credit
Land or property services
Online Technology and Telecoms
Retail and manufacture
Transport and leisure
We should advise you that the ICO cannot report on the financial impact
of data protection breached sustained by controllers—this is not
information we require for our business needs.
You may be aware that the ICO publishes datasets
of our completed
casework on our website. These both our FOI and DP casework—including
both individual data protection complaint and breaches reported by
We acknowledge that there is a data set publication gap from September
2018 to present, where information is held, but has not yet been
published by the ICO online. We are actively working to bring these
datasets up to date, however, the ICO continues to manage an
unprecedented number of information requests. This is having an effect
on our ability to keep up to date with our proactive disclosure regime.
We are withholding the remaining information in scope of your request—
the names of individual controllers—under section 22 of the FOIA because
this is information intended for future publication. We explain this
exemption further below.
Information withheld - section 22 FOIA
Section 22 of the FOIA states that information is exempt from disclosure
in response to an information request if:
“(a) the information is held by the public authority with a view to its
publication, by the authority or any other person, at some future date
(whether determined or not), (b) the information was already held with a view to such publication at
the time when the request for information was made, and
(c) it is reasonable in all the circumstances that the information should be
withheld from disclosure until the date referred to in paragraph.”
The exemption at section 22 is qualified by the public interest test,
meaning that the information should be disclosed if the public interest in
the maintenance of the exemption does not outweigh the public interest
In this case the public interest factors in disclosing the information are:
• Transparency in the number and nature of data breaches reported
to the ICO, and our assessment of these reports.
The factors in withholding the information are:
• The ICO has a history of publishing this information on a periodic
basis and has committed to publishing relevant data sets—at which
point the information will be in the public domain.
• To prepare this information for disclosure earlier than intended, in
response to individual requests we receive, would be time and
resource intensive, and would not be an efficient use of resources
when we intend to publish this information in due course in any
• Earlier disclosure is not necessary to satisfy any pressing public
interest at the present time.
Having considered the public interest arguments, we consider it
reasonable in the circumstances to withhold this information under
section 22 of the FOIA.
That concludes our response to your information request, we trust that
the information we have been able to provide proves helpful.
If you are dissatisfied with this response and wish to request a review of
our decision or make a complaint about how your request has been
handled you can write to the Information Access Team at the address
below or e-mail firstname.lastname@example.org.
Your request for internal review should be submitted to us within 40
working days of receipt by you of this response. Any such request
received after this time will only be considered at the discretion of the
If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint handler
under the legislation. To make such an application, please write to our
Customer Contact Team at the address given or visit our website if you
wish to make a complaint under the Freedom of Information Act.
A copy of our review procedure
can be accessed from our website.
Senior Information Access Officer, Risk and Governance Department
Corporate Strategy and Planning Service
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9
T. 0330 313 1636 F. 01625 524510 ico.org.uk twitter.com/iconews
For information about what we do with personal data see our privacy notice.
Please consider the environment before printing this email