Recent ICO data security incident trends
data protection

Recent ICO data security incident trends

Sign-up to a data breach claim today - use our quick and easy form to begin your claim for thousands of pounds in compensation.

Start Your Claim
Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy

solicitors regulation authority

A data breach is the intentional or unintentional release of secure or private/confidential data by, say, employees, cyber-hackers, political activists or national governments.

The Information Commissioner’s Office (ICO) is the U.K.’s independent privacy watchdog who have the responsibility of upholding information rights for the benefit of the public interest. Though there isn’t a legal responsibility on companies and/or organisations to report all data security breaches, it’s considered good practice to do so.

Here’s a look at some of the recent data security incident trends from the ICO.


The Data Protection Act (DPA) presses for companies and organisations to uphold information security:

“…appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

This is the 7th Data Protection principle. In practice, it means companies and/or organisations must have appropriate cyber-security to prevent personal information being accidentally or deliberately compromised.

The ICO provides tips as follows:

To design and organise your cyber-security to fit the nature of the personal data you hold, and the harm that may result from a security breach.
Be clear about who in your organisation is responsible for ensuring information security. There should be a designated chief information officer.
Ensure you have the right physical and technical security; this should be backed up by robust policies and procedures and well-trained staff.
Be ready to respond effectively to any data breaches.

ICO’s penalties

The ICO has recently fined:

  • HCA International Ltd £200,000
  • Royal & Sun Alliance Insurance PLC £150,000
  • Norfolk County Council £60,000
  • A Barrister £1,000

They’re always investigating incidents, and the above is just a small example of the sorts of fines they have distributed.

The ICO’s power isn’t limited to monetary penalties – they can also issue undertakings. In one example, an undertaking was issued to Pennine Care NHS Trust for them to comply with the 7th Data Protection principle.

The privacy watchdog also checks whether undertakings are being complied with. For example, the ICO checked if Wolverhampton City Council (signed in June 2016), Cornwall Council (signed in September 2016) and NHS Digital (signed in April 2016) had completed their undertakings following data protection investigations.

Data breach trends

From October to December 2016 and January to March 2017 there was a reported 20% increase in personal data sent by email to the incorrect recipient, and a 32% increase in failure to black-out personal data.

This is indicative that more training is required for employees who are handling the data. It would be more cost-effective for the company/organisation to train employees on how to handle personal data securely and sensitively rather than having to pay for the repercussions in the event of a security breach.

Though exfiltration seems to be the most common type of cyber-security incident, other vulnerabilities in the system like cyber-security misconfiguration can result in data breaches too. We can’t take these statistics as perfect since they’re based on ‘reported incidents’, and it’s a well-known problem that not all organisations are properly reporting data breaches, and there can be many reasons as to why. One reason is to avoid fines, and another may be to “save face” on the origination’s reputation.

Health and local government at the top of the culprit pile

In the ICO’s study, it’s reported that health, general business and local government were the sectors with the most reported incidents, based on a study published on 20th June. The ICO notes that breach reporting in the health sector is mandatory.

Start Your Claim

You can call our claims team free from a landline or mobile on 0800 634 7575 or click on the link below to create a call back with one of our expert Data Claims team.Information on how we handle your data is available in our Privacy Policy.

We offer genuine No Win, No Fee agreements for our clients. Why we do this is simple:

Leading Data Breach Lawyers
Our experience speaks for itself.
We will fight for your right to compensation.
Access to Justice
As a victim of a data breach or hack, you deserve your chance to get access to justice.
Risks Assessment
We carefully risk assess your case and take it on if we think we have a good chance of winning the claim.

Request A Callback From Our Team

Fill out our quick call back form below and we'll contact you when you're ready to talk to us.

Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy

solicitors regulation authority

Contact is © of Your Lawyers Limited - we are 'Authorised and Regulated by the Solicitors Regulation Authority (SRA number 508768)'
arrow-up icon