Information Commissioner

Key Points

  • Please see our summary GDPR card here
  • The Information Commissioner is an independent officer, appointed by the Queen for a seven year term and reporting directly to Parliament, whose role is to uphold information rights in the public interest, promote openness by public bodies and data privacy for individuals.
  • The Commissioner acts through his Office, commonly referred to as the 'ICO'. 

Information Commissioner

Section 6 of the Data Protection Act 1998 (the “DPA”) created the role of Information Commissioner and section 114 of the DPA 2018 makes provision for the continuation of the Information Commissioner's role, whose functions are conferred on it by Articles 57 and 58 of the GDPR. Provision about the Commissioner are made  in Schedule 12 of the DPA 2018 and the Information Commissioner's general functions are set out in Schedule 13 and Part V of the DPA 2018.. Powers of entry and inspection are set out in Schedule 15.

 

The ICO enforces and oversees the following legislation:

  • Data Protection Act 2018
  • Freedom of Information Act 2000
  • Privacy and Electronic Communications Regulations 2003
  • Environmental Information Regulations 2004
  • INSPIRE Regulations 2009

The ICO is the supervisory authority in the United Kingdom for the purposes of Article 51 of the GDPR.

The Commissioner is responsible for data protection in England, Scotland, Wales and Northern Ireland and also has some international duties.

The Information Commissioner is responsible for maintaining the register of data controllers, for making assessments as to whether processing complies with the DPA 2018 and for imposing sanctions provided for in the DPA 2018. The Commissioner also has a number of other duties under Part V of the DPA 2018. 

The Information Commissioner’s enforcement powers

There are a number of tools available to the ICO for taking action to change the behaviour of organisations and individuals that collect, use and keep personal information. They include criminal prosecution, non-criminal enforcement and audit. The Information Commissioner also has the power to serve a monetary penalty notice on a data controller.

The powers of the Information Commissioner most relevant to employers

Information notices

The Information Commissioner may serve the data controller with an information notice under section 142(1) of the DPA 2018 requiring the data controller to furnish the Commissioner with specified information reasonably required by the Commissioner for the purpose of carrying out their functions.

An information notice may:

- specify or describe particular information or a category of information

- specify the form in which the information must be provided

- specify the time at which, or the period within which, the information must be provided

- specify the place where the information must be provided.

If an appeal is brought, the information need not be provided pending the determination or withdrawal of the appeal (section 142(6) DPA 2018).

Assessment notices

The Information Commissioner may serve a data controller with an assessment notice under section 146 of the DPA 2018 for the purpose of enabling the Commissioner to determine whether the data controller has complied or is complying with the data protection principles.

The Information Commissioner has power in an assessment notice to require a data controller to do a wide range of things, such as allow the Commissioner’s representatives to enter his premises, direct them to specific documents, provide copies of documents and interview staff who process personal data on behalf of the data controller.

Enforcement notices

The Information Commissioner has the power to issue an enforcement notice under section 149 of the DPA 2018 if he is satisfied that a data controller has contravened or is contravening any of the principles by which all personal data must be processed, as set out in the DPA 2018 including data subject rights. The enforcement notice will require the data controller to take or refrain from specified steps.Failure to comply with an enforcement notice may lead the Information Commissioner to issue a penalty notice.

Penalty notices (fines)

Under section 155(1) of the DPA 2018 the Information Commissioner has power to impose a financial penalty on a data controller  which requires the data controller to pay a specified amount to the Information Commisssioner (but not award financial compensation to the data subject) if the data controller has failed or is failing to do anything for which an enforcement notice may be issued or if it has failed to comply with an information notice, an assessment notice or an enforcement notice.

If there is a breach of the GDPR the Information Commssioner may award a penalty of up to the higher of the amount specified in Article 83(5) of the GDPR or, if an amount is not specified there, the standard maximum amount, which is:

- in the case of an undertaking, 10 million euros or 2% of the undertaking's total annual worldwide turnover in the preceding financial year, whichever is higher or

- in any other case, 10 million euros (section 157(6) DPA 2018).

If there is a failure to comply with an information notice, an assessment notice or an enforcement notice, the maximum amount of the penalty that may be imposed by a penalty notice is the higher maximum amount.

The higher maximum amount is:

- in the case of an undertaking, 20 million euros or 4% of the undertaking's total worldwide turnoevr in the preceding financial year, whichever is higher, or

- in any other case, 20 million euros (section 157(5) DPA 2018).

Criminal prosecution

The Information Commissioner has power to start criminal proceedings for offences under the DPA . 

Under section 170 DPA 2018 it is an offence for a person knowingly or recklessly

- to obtain or disclose personal data without the consent of the controller

- to procure the disclosure of personal data to another person without the consent of the controller, or

- after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained.

It is a defence to prove that obtaining, disclosing, procuring or retaining

- was necessary for the purposes of preventing or detecting crime

- was required or authorised by an enactment, by a rule of law or by the order of a court or tribunal, or

- in the particular circumstances, was justified as being in the public interest.

It is also a defence to prove that

- the person acted in the reasonable belief that the person had a legal right to do the obtaining, disclosing, procuring or retaining

- the person acted in the reasonable belief that the person would have had the consent of the controller if the controller had known about the obtaining, etc. and the circumstances of it, or

- the person acted

(i) for the special purposes 

(ii) with a view to the publication by a person of any journalistic, academic, artistic or literary material, and

(iii) in the reasonable belief that in the particular circumstances the obtaining, etc was justfied as being in the public interest.