Data regulator reports nearly 5,000 impacted by data breaches in first review since 2018

Isle of Man’s information watchdog outlines case volumes, enforcement activity, and regulatory challenges

The Isle of Man’s Information Commissioner has released its first annual report in six years, revealing that nearly 5,000 people were affected by personal data breaches during 2024/25 and setting out new figures on case handling, public engagement, and enforcement.

The report is the first issued under Dr Alexandra Delaney-Bhattacharya, who took up the post in September 2024 following a period of staffing shortages and interim leadership. It covers data protection and Freedom of Information work over the previous financial year and outlines operational challenges and regulatory priorities for the year ahead.

Casework and contact volumes

According to the report, 4,918 individuals were affected by the 152 personal data breaches reported to the Commissioner between April 2024 and March 2025. While this represents a sharp fall in reporting compared to previous years, the Commissioner stressed that the real-life impact of breaches can remain serious – particularly where special category data or vulnerable individuals are involved.

The office also dealt with a high volume of public contact, answering 2,621 phone calls and responding to more than 900 email queries over the course of the year.

FOI and data protection complaints

A total of 22 FOI requests for review were received, with delays continuing to affect the office’s ability to issue timely decisions. At year end, 26 FOI review applications were still open – some dating back over two years. The Commissioner attributed the backlog to resourcing pressures and said the recruitment of a new FOI specialist aims to help address this.

In the area of data protection, 14 complaints were received, with subject access request (SAR) handling remaining the most frequent issue. One public authority received an enforcement notice after failing to respond appropriately to a SAR.

The report states that 79 percent of complaints related to the public sector, while 21 percent concerned private organisations.

AI flagged as an emerging regulatory concern

Artificial intelligence and high-risk data processing are identified as growing areas of focus. While four Data Protection Impact Assessments were submitted during the year, all came from public bodies. No DPIAs were submitted by private sector organisations – a gap the Commissioner says may point to a lack of awareness around legal obligations in this area.

The report calls for further engagement with organisations using or considering AI systems, particularly where automated decision-making may affect individuals’ rights.

Enforcement activity

A total of 14 regulatory actions were taken during the year, including:

• Three information notices
• Three warnings
• Six reprimands
• Two enforcement notices (one of which is under appeal)

No financial penalties were issued. The Commissioner said a risk-based approach was taken to enforcement, with priority given to high-impact or repeat breaches.

Digital upgrades and proposed reforms

A new online registration system and breach reporting portal went live on 1 April 2025. The portal replaces the previous manual forms process and is intended to speed up reporting and improve case handling.

The office also plans to consult on changes to the current flat registration fee model, which charges all organisations £50 per year regardless of size or risk. A proposed tiered system would scale fees based on organisational profile and processing activities, aligning with international practice and aiming to reduce the office’s reliance on public funding.

Internal capacity and staffing

The report confirms the Commissioner’s office currently operates with just five members of staff, although recruitment is under way to expand capacity. Staffing shortages and leadership turnover in 2023 and early 2024 were cited as key reasons for casework delays and prioritisation of higher-risk complaints.

The office has introduced a red-amber-green triage system to improve risk assessment of breaches and complaints, and is reviewing internal processes to help prevent further backlogs.

Goals

The report sets out five strategic priorities for 2025/26:

1. Reforming the fee structure for organisations;
2. Improving internal culture and systems;
3. Reducing backlogs;
4. Increasing public and stakeholder engagement;
5. Enhancing guidance and oversight, particularly around AI and digital technologies.

The IC says her office would focus on rebuilding foundations, improving responsiveness, and adapting to emerging risks in a rapidly evolving digital landscape.