As 2024 comes to a close, the Information Commissioner’s Office (ICO) is reflecting on a successful year of effecting change to protect people’s information rights and guide organisations to continually improve to meet their legal obligations.
The ICO is the UK’s independent regulator that exists to empower people through their data protection and freedom of information rights. The ICO regulates the whole economy, including government and the public sector.
ICO 2024 - the year in numbers
- 36,049 data protection complaints completed
- 7,448 freedom of information complaints completed
- 278,637 calls to our Helpline answered
- 65,503 live chat messages answered
- 44,400 reports about nuisance calls
- 28,969 reports about spam emails
- £1,270,000 million in fines issued for nuisance calls
- 1,991 personal data breach cases completed
- 179 investigations completed
- 2,283 Decision Notices issued
- 10 Freedom of Information Enforcement Notices
- 10 Freedom of Information Practice Recommendations
- 12 Reprimands issued
- 41 Audits completed
ICO 2024 – the year in a snapshot
We started the year by launching a Generative AI consultation outlining our emerging thinking on this innovative technology in January. We continue to move fast to address any risks to people and also guide organisations to develop responsibly and in compliance with the law. We also updated our Opinion on age assurance for our world-leading Children’s code setting out how online services must apply appropriate measures when using children’s data. Since the code came into force three years ago, we’ve seen a huge shift in the way children are treated by online platforms. Changes we’ve seen include some targeted and personalised ads blocked for children; adults blocked from directly messaging children who they are not already following, and notifications turned off at bedtime.
In February we ordered public service provider Serco Leisure to stop using biometric technology to monitor staff attendance as no clear alternative was offered, and published new guidance detailing how organisations can comply with data protection law. And we encouraged people to share their personal experiences of trying to get their records in the UK care system and committed to improve our support to them and also organisations that hold the information.
March saw us publish our new fining guidance, setting out how we decide to issue penalties and calculate fines, and in doing so provided organisations with transparency on how we use our fining power. We launched a call for views on our regulatory approach to the “consent or pay” model and wrote to the Association of Online Publishers and the Internet Advertising Bureau UK setting out our views and highlighting that there are many lawful ways to use online advertising when websites give people a fair choice over how their personal information is used.
New guidance followed for the health and social care sector in April detailing how these organisations should keep people informed on how their information is being used. In setting out our 2024-2025 priorities for protecting children’s personal information online, the Information Commissioner called on social media and video sharing platforms to improve their data protection practices so children are safer when using their services.
May saw us publish our “Learning from the mistakes of others” report providing lessons learnt from common security mistakes, as we called on all organisations to boost their cyber security measures to protect the personal information they hold. We also concluded our Snap, Inc investigation after the platform took significant steps to review and mitigate risks posed by it “My AI” chatbot. Our early action in this case ensured people were protected.
The summer was busy. In June we announced our joint investigation into the October 2023 data breach at genetic testing company 23andMe. This reflects our commitment to collaborate on protecting the fundamental right to privacy of individuals across the globe. We were also pleased to see Meta pause their plans after reflecting on the concerns we raised with them regarding the platform’s plans to train generative AI with user data.
We called out water companies in July, demanding they be transparent about sewage discharges to rebuild public trust and reprimanded the Electoral Commission after a cyber attack compromised its servers.
In August we announced that we were calling on 11 social media and video sharing platforms to improve their children’s privacy practices. To help small organisations and sole traders comply with data protection law, we launched a new, quick and easy tool for them to create a bespoke privacy notice showing customers what happens to their personal information.
September saw us sign a memorandum of understanding with the National Crime Agency. This was an important step as, by working together, we can boost the UK’s cyber resilience. We were pleased to see another platform, LinkedIn, suspend its approach to train generative AI models after our intervention. We also welcomed Instagram’s new protections for younger users following our engagement with them, as the platform announced the launch of teen accounts.
We launched a new audit framework in October, designed to help organisations assess their own compliance with key requirements under data protection law, meaning they can reassure customers that personal information is being handled with care. The Commissioner also issued a stark warning to organisations across the country stating they “must do better” to protect people as he highlighted the consequences of a data breach. The Police Service of Northern Ireland was also issued with a £750,000 fine for a data breach which exposed the personal information of its entire workforce – just one piece of our enforcement action this year.
November saw us celebrate our 40-year anniversary with the launch of Our lives, our privacy: the 40 items that shaped 40 years of privacy rights. The items represent key moments since 1984 when people’s right to privacy or access to information has been affected – positively or negatively – and we explain the role we’ve played protecting people’s rights.
In December we welcomed the Court of Appeal (CoA) unanimous dismissal of a long running appeal against our first Data Protection Act 2018 monetary penalty notice and published our Generative AI consultation response warning developers they must tell people how their information is being used. We also gave a clear response to Google that businesses do not have free rein to use fingerprinting to track users online as they please.
2025 looks set to be another busy and productive year for the ICO, not least due to the progression through Parliament of the Data Use and Access Bill which will see changes to the structure of the ICO. To review all our 2024 news, visit the media section on our website.