Taking action: data protection and privacy and electronic communications
There are a number of tools available to the Information Commissioner’s Office for taking action to change the behaviour of organisations and individuals that collect, use and keep personal information. They include criminal prosecution, non-criminal enforcement and audit. The Information Commissioner also has the power to serve a monetary penalty notice on a data controller.
The tools are not mutually exclusive. We will use them in combination where justified by the circumstances.
The main options are:
- serve information notices requiring organisations to provide the Information Commissioner’s Office with specified information within a certain time period;
- issue undertakings committing an organisation to a particular course of action in order to improve its compliance;
- serve enforcement notices and ‘stop now’ orders where there has been a breach, requiring organisations to take (or refrain from taking) specified steps in order to ensure they comply with the law;
- conduct consensual assessments (audits) to check organisations are complying;
- serve assessment notices to conduct compulsory audits to assess whether organisations processing of personal data follows good practice (data protection only);
- issue monetary penalty notices, requiring organisations to pay up to £500,000 for serious breaches of the Data Protection Act occurring on or after 6 April 2010, or serious breaches of the Privacy and Electronic Communications Regulations occurring on or after 26 May 2011;
- prosecute those who commit criminal offences under the Act; and
- report to Parliament on data protection issues of concern.
Appeals from notices are heard by the First–tier Tribunal (Information Rights), part of the General Regulatory Chamber (GRC). The First–tier Tribunal (Information Rights) specifically hears appeals of enforcement notices, decision notices and information notices issued by the Information Commissioner. The GRC brings together a range of previously separate tribunals that hear appeals on regulatory issues.
View the Data Protection Regulatory Action Policy
View the ICO Prosecution Policy Statement
View the Assessment Notices Code of Practice
View the Monetary Penalties guidance (updated in January 2012 to include the revised Privacy and Electronic Communications Regulations)
View the Standard Operation Procedures for Monetary Penalties
View the framework used to determine the amount of a monetary penalty
View our statement on enforcing the revised Privacy and Electronic Communications Regulations
View our guide to ICO PECR audits