The UK’s data protection watchdog is recruiting more warm bodies to tackle its red-rated backlog of unresolved complaints.
The Information Commissioner’s Office (ICO) publishes quarterly performance reports about its various objectives, one of which is to respond to 80 percent of data protection complaints within 90 days. The latest report, which came out on April 1, revealed it missed that target by the biggest margin on record.
The report also revealed that the number of personal data breach reports that were “over 12 months old” at the end of the quarter was 279, up from 66 at the end of Q2.
Only 12.3 percent of data protection complaints were assessed and responded to during Q3 for 2024/25, an all-time low score based on available records and one that by its own admission is expected to worsen until major changes are implemented.
The ICO says “significant digital and process changes” are on the way, but won’t be rolled out until internal consultations have concluded.
The report also revealed that the ICO planned to deliver an automated case creation process by March 2025, and is in the process of hiring 19 new staff to help with the increasing number of complaints the regulator receives.
In the latest reporting period (Q3 2024/25), the ICO said it received 10,139 complaints representing an increase of 746, or 7.9 percent, compared to the same period the year before.
The regulator released a statement alongside its Q3 performance report acknowledging the frustration that reporters of data protection issues would likely be feeling.
A spokesperson said: “Anyone who has felt the need to make a complaint to us deserves a timely response. Our current response times are not where we want them to be, and we know how frustrating this is for people who are asking for our help.
“We are committed to getting back to meeting our target of responding to 80 percent of complaints within 90 days and are introducing several initiatives over the coming months that we believe will help us to achieve this.
“We want to thank people for their patience while we address this issue. Our frontline staff continue to work hard to respond to all complaints and we are confident that our approach will bring about the necessary improvements. Please be assured that we continue to triage cases and prioritize those that urgently need attention.”
The ICO’s report [PDF] included a further three red-rated metrics, indicating severe under-performance.
Most of the metrics, red-rated or not, are measured in line with the expectations set out by the regulator’s service charter. If the watchdog maintained its under-performance for successive periods, without addressing these concerns or offering solutions to rectify the issues, then it could be referred to the UK’s Parliamentary and Health Service Ombudsman (PHSO) for investigation.
The ICO’s goal of resolving 80 percent of written inquiries (public and business advice) within seven calendar days was one of the other three to be rated red, with only 61.7 percent of responses meeting this objective.
It was, however, the first time since Q4 2021/22 that it failed to achieve a green rating here, and even then it was only 3.2 percent off the mark. It said staff from the business advice department were drafted in to help with a new pilot scheme to ensure fined entities were indeed paying up, but this invariably built up a backlog in their usual line of work.
The regulator also missed out on resolving 99 percent of written (public and business) inquiries within 30 calendar days. A red-rated score of 81.3 percent was the first time it was wide of the mark in over a year, and was again attributed to the business advice team working on other things.
The final red-rated metric, which isn’t part of the ICO’s charter, was the objective to resolve more than 99 percent of personal data breach reports within 12 months. While the ICO scored near-perfectly before, the past two quarters saw performance slide downward, with 14 percent of cases going unanswered for a year – up from 3.4 percent last quarter.
The regulator didn’t offer a reason for the dramatic increase in aging reports, but said it is considering improvements as part of a new operating model for the year 2025/26. Until those changes are implemented, it expects a continued decline in performance.
Not all the news is bad, though, as the majority of metrics are all being met or exceeded, earning green status, with only a handful of amber-rated metrics, signalling minor missed targets.
The ICO’s performance is also not a concern for the PHSO either, at least not so bad to warrant an investigation. Despite receiving four complaints via the ombudsman, none of them were upheld.
According to available records, the only time the ICO has been reprimanded by the PHSO was in Q2 2022/23 after 11 complaints. The ICO was found to have missed a service-level agreement, but was merely required to remind staff to meet targets. ®
