Question to the Department for Science, Innovation & Technology:

To ask the Secretary of State for Science, Innovation and Technology, how many organisations have been investigated by the Information Commissioner's Office (ICO) for breaches of data protection law in each of the last three years.

Over the past two years, in relation to data breaches of data protection law, the ICO took informal action on 12,496 occasions, initiated 452 investigations, and issued two formal regulatory actions in response to personal data breaches. For data protection complaints, which may also be related to data breaches, the ICO took informal action on 14,064 occasions, identified 7,518 infringements, initiated nine formal investigations, and issued five formal regulatory actions. Figures are based on closed cases and retained for two years in line with ICO’s data retention policy, which allows the ICO to retain data for statistical purposes for two years.

The ICO publish actions taken on its website, including monetary penalties, enforcement notices, undertakings, prosecutions and reprimands they have issued. Under the Data (Use and Access) Act (DUAA) 2025, the ICO must also produce an annual report to Parliament detailing its enforcement activities, strengthening transparency and accountability.