• International Workplace
  • 12 August 2020

ICO dealt with almost 40,000 data protection cases in 2019

During 2019-20, the Information Commissioner’s Office (ICO):

  • received 38,514 data protection complaints;
  • closed 39,860 data protection cases (up from 34,684 in 2018/19); and
  • received 6,367 freedom of information complaint cases.

These were just some of the findings of the ICO’s annual report for 2019-20, covering what Information Commissioner Elizabeth Denham has called a “transformative period” for privacy and data protection and broader information rights.

She said:

“We have seen a transformative period in our digital history, with privacy established as a mainstream concern, and with complex societal conversations increasingly asking data protection questions.

“This report shows the ICO has been at the centre of those discussions, from how facial recognition technology is used to how we protect children online.”

The ICO is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

The ICO has specific responsibilities set out in the Data Protection Act 2018, the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

Highlights from the report, which covers the 12 months to 31 March 2020, include:

Supporting and protecting the public and organisations

The Age Appropriate Design Code, introduced by the Data Protection Act 2018, was published in January. When it comes into full effect, it will help steer businesses to comply with current information rights legislation.

ICO intervened in the High Court case on the use of facial recognition technology by the South Wales Police as part of its work to ensure that the use of this technology does not infringe people’s rights. 

Guidance for businesses and organisations on data protection and Brexit implementation was published to help them comply with the law once the UK leaves the EU.



The ICO took regulatory action 236 times in response to breaches of the legislation that it regulates. That included 54 information notices, eight assessment notices, seven enforcement notices, four cautions, eight prosecutions and 15 fines.  

Over 2,100 investigations were conducted. The ICO also settled a case with Facebook, which had been brought under the Data Protection Act 1998.



Through its regulatory sandbox service, the ICO has worked with a number of innovative organisations of all sizes to explore new data uses in a safe way while helping to ensure their customers’ privacy.

It also received additional resources from the government’s regulators innovation fund to set up a hub with other regulators to streamline and reduce burdens on businesses and public services using data.

Its research grants programme has encouraged innovative research into privacy and data protection issues.

In January, ICO launched its consultation on an AI framework to allow the auditing and assessment of the risk associated with AI applications and how to ensure their use is transparent, fair and accountable.


On a global scale, the ICO continues to chair the Global Privacy Assembly, driving forward the development of the assembly into an international network that can have an impact on key data protection issues across the year. This helps to protect UK citizens’ personal data as it crosses borders and helps UK businesses operating internationally.

Due to the period covered by the report, it does not reflect the impact of COVID-19 although, acknowledging the pandemic, Denham said:

“The digital evolution of the past decade has accelerated at a dizzying speed in the past few months. Digital services are now central to how so many of us work, entertain ourselves and talk to friends and family. The law has not changed, and the ICO continues to be a proportionate and practical regulator."