Awdurdod annibynnol y Deyrnas Unedig a sefydlwyd i gynnal hawliau gwybodaeth er budd y cyhoedd, annog cyrff cyhoeddus i fod yn agored a hybu preifatrwydd data i unigolion.

1 April 2019 to 31 March 2020

The ICO is a ‘prescribed person’ under the Public Interest Disclosure Act 1998, meaning that whistleblowers are provided with protection when disclosing certain information to us.

The Prescribed Persons (Reports on Disclosures of Information) Regulations 2017 require prescribed persons to report annually on whistleblowing disclosures made to them.

The ICO has published advice for individuals considering making a whistleblowing disclosure.


The number of whistleblowing disclosures made to us during the period 1 April 2019 to 31 March 2020 was 427. All information provided was recorded and used to develop our overall intelligence picture, in line with our Information Rights Strategic Plan 2017-2021.

Further action was taken on 68 of these disclosures. This may result in referral to appropriate departments for further consideration, referral to external organisations (including other regulators and law enforcement) or consideration for use of our enforcement powers. After review and assessment 359 of the 427 disclosures resulted in no further action taken at that time.

During the period 1 April 2019 to 31 March 2020 further action on the 68 disclosures resulted in 73 referrals to various departments (three disclosures resulted in referrals to two departments; one disclosure resulted in referral to three departments).

The outcomes of these referrals:

  • 23 disclosures were taken into consideration for the investigations.
  • Eight disclosures were referred back to Advice Services and the PDB Team including providing advice to the whistleblower and where it would be more appropriate for the matter to be raised as a complaint.
  • 21 disclosures were considered for non-payment of the data protection fee.
  • 12 disclosures were referred to other departments for various actions.
  • Three disclosures were considered for tactical and strategic assessment.
  • Two disclosures being considered for policy advice.
  • Four disclosures resulted in no outcome, but were logged for intelligence purposes only.

After receipt of a concern we will decide how to respond in line with our Regulatory Action Policy. In all cases, we will look at the information provided by whistleblowers alongside other relevant information we hold. For example, if an organisation reports a breach to us we may use information provided by a whistleblower to focus our follow-up enquiries. More broadly, we may use information from whistleblowers to focus our liaison and policy development within a sector, using the information to identify a particular risk or concern.