The Information Commissioner’s Office (ICO) describes itself as the “UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.” Headed up by the Information Commissioner, Elizabeth Denham (as at January 2020), the ICO deals with a variety of issues, including:
- Data protection complaints – the ICO handles complaints in relation to regulatory concerns about how organisations handle personal data.
- Registration – most organisations which handle data are required to register with the ICO and pay an annual fee, as well as provide an up-to-date list of Data Protection Officers (DPO).
- Enforcement – the ICO can take action against any data protection breaches, conducting investigations, making decision notices, issuing fines and pursuing matters through the courts if necessary.
- Guidance – the ICO provides detailed guides to data protection and information law regulations, as well as creating resources which explain the rights of individuals in relation to their personal data, along with the responsibilities of organisations which control or process personal data.
Some of the main pieces of legislation within the ambit of the ICO include:
- Data Protection Act 2018 (DPA)
- General Data Protection Regulation (GDPR)
- Freedom of Information Act (FOIA)
- Privacy and Electronic Communications Regulations (PECR)
- Investigatory Powers Act (IPA)
Although the ICO is an independent public body, it is sponsored by the Department for Digital, Culture, Media and Sport.
Registering with the ICO
Any organisation (including limited companies and sole traders) which processes personal data is required to register with the ICO, subject to certain limited exemptions (e.g. elected representatives, such as MPs and councillors in county councils). The ICO provides an online self-assessment tool to help businesses and individuals ascertain whether or not they need to register.
The requirement to register with the ICO and pay the relevant fee (see below) is set out by Data Protection (Charges and Information) Regulations 2018 – and failure to do so will result in a fixed penalty. The ICO maintains a public register of organisations and people who have registered, which includes:
- Name and address of the registered company/individual (along with any other trading names);
- Registration number;
- Payment tier;
- Date of initial registration and expiry date of current registration period; and
- Name and contact details for Data Protection Officer (see below) if applicable.
In December 2019, the ICO launched a new campaign under which they plan to write to all registered companies in the UK, reminding them of their legal responsibility to pay an annual fee if they process personal data. As a consequence, most recently formed companies can expect to be contacted by the ICO.
There is an annual fee to pay upon registration, with three tiers, depending on company size and turnover:
- Tier 1 (£40) – this applies to organisations which have a maximum turnover of £632,000 for their financial year, and a maximum of 10 members of staff (this includes all employees, workers, office holders and partners).
- Tier 2 (£60) – the cap on turnover is £36 million, and there should be no more than 250 members of staff.
- Tier 3 (£2,900) – the largest organisations by turnover and/or staff will fall into this category.
The ICO has created an online fee assessment tool to help organisations decide which tier they fall into.
How to register
Registration and payment need to be completed online at the same time. First time registration takes about 15 minutes and requires (i) details of the company or organisation (ii) details of the number of staff and annual turnover and (iii) credit or debit card details. Information submitted will appear on the public register (unless specified otherwise).
Organisations which have previously registered will receive a reminder to renew their annual data protection registration fee around six weeks before it expires. The order reference and registration reference will be required to complete payment by credit or debit card. There is a fee reduction of £5 if opting to pay by direct debit. See the renewal page on the ICO website for further information.
If any details (e.g. registered address) need to be changed since registration or renewal, it is possible to email or call the ICO, quoting your registration and security numbers – see this page for further information.
Adding a Data Protection Officer (DPO)
The General Data Protection Regulation (GDPR) introduced a requirement for public authorities/bodies or companies carrying out certain types of personal data processing (e.g. large scale online behavioural tracking or processing of data relating to criminal convictions etc.) to appoint a Data Protection Officer (DPO). The role of a DPO is essentially to monitor internal compliance of data protection rules, and to act as a source of advice and initial point of contact for such matters, liaising with third parties (including the ICO) where necessary. See this page for further information on DPOs.
To add a DPO, companies should send an email to: firstname.lastname@example.org with the subject line: ‘Add a DPO’ along with relevant details – see this ICO page for a full list of requirements.
Making a data protection complaint
The ICO deals with a wide range of complaints regarding the use of personal information by organisations, including:
- Nuisance phone calls, spam emails or text messages (and even fax messages for those organisations which still use facsimile machines).
- Concerns about how an organisation is using personal information (e.g. if information is incorrect, is held for too long, or is not being kept secure).
- Cookie consent – the ICO provides an online resource for reporting concerns about specific cookies or similar technologies being deployed by websites.
- Right to be forgotten – if an internet search (e.g. via Google) brings up search results which include personal information that has a detrimental impact (e.g. contains defamatory comments) then the ICO can look into this and potentially take action.
- Freedom of information – if a public body is frustrating a legitimate freedom of information request (i.e. in contravention of their duties under the Freedom of Information Act), individuals can complain to the ICO.
- EU-US Privacy Shield – any personal information transferred between the EU and US is subject to a data protection agreement known as ‘Privacy Shield’. Any concerns regarding personal information transferred from the UK to America can be taken up with the ICO (by emailing them at email@example.com). Although the status of the UK within this scheme post-Brexit is uncertain, it is likely that the UK will continue to broadly align its data protection rules with the EU.
To make a complaint relating to data protection or the (mis)use of personal information, follow the instructions on the ICO website.
What are the enforcement powers of the ICO?
Enforcement powers of the ICO are set out in Part 6 of the Data Protection Act 2018 (DPA). One of the key tools at the disposal of the ICO is the power to issue fines in respect of data protection law breaches; these are known as penalty notices. The maximum limit of penalty notices was significantly increased by the GDPR from £500,000 to the higher of €20 million or 4% of global annual turnover.
The DPA also arms the ICO with the power to issue three other specific types of notices, namely:
An information notice is a formal request for a data controller, processor or individual to provide the ICO with certain information which will assist them with an investigation into a suspected compliance failure. There will be a specified time frame in which the information has to be provided. The provision of false information in connection with an information notice may lead to a criminal conviction.
Under section 146 of the DPA, the ICO can issue an ‘assessment notice’ which essentially requires a data controller or processor to allow ICO representatives to conduct an investigation. This may include requiring the controller or processor to:
- Permit ICO representatives to enter specified premises (i.e. to find evidence of a potential data protection breach).
- Direct ICO representatives to relevant documents or equipment on the premises.
- Provide copies of any potential evidence.
- Allow ICO representatives to observe processing of personal data which takes place on the premises.
- Organise interviews with relevant staff and contractors.
Assessment notices may be issued on the basis of ‘urgent’, ‘no-notice’ or ‘short-notice’ depending on the circumstances (e.g. if the ICO believes there is a threat of evidence being destroyed).
If the ICO is satisfied that an organisation has failed in its duties under data protection or information law, it can issue an enforcement notice. This will specify actions which must be taken by the organisation to rectify their failings and bring it into line with the regulations – or alternatively it will require that certain actions are stopped (e.g. processing of personal information). Specific timescales will normally apply.
Failure to comply with information, assessment or enforcement notices may result in a penalty notice being issued. Court action may also be taken.
To find out more about the enforcement powers of the ICO, see their Regulatory Action Policy.