There are a number of tools available to the Information Commissioner’s Office for taking action to change the behaviour of organisations and individuals that collect, use and keep personal information. They include criminal prosecution, non-criminal enforcement and audit. The Information Commissioner also has the power to serve a monetary penalty notice on a data controller.

The tools are not mutually exclusive. We will use them in combination where justified by the circumstances.

The main options are:

  • serve information notices requiring organisations to provide the Information Commissioner’s Office with specified information within a certain time period;
  • issue undertakings committing an organisation to a particular course of action in order to improve its compliance;
  • serve enforcement notices and ‘stop now’ orders where there has been a breach, requiring organisations to take (or refrain from taking) specified steps in order to ensure they comply with the law;
  • conduct consensual assessments (audits) to check organisations are complying;
  • serve assessment notices to conduct compulsory audits to assess whether organisations processing of personal data follows good practice;
  • issue monetary penalty notices, requiring organisations to pay up to £500,000 for serious breaches of the Data Protection Act occurring on or after 6 April 2010
  • prosecute those who commit criminal offences under the Act; and
  • report to Parliament on issues of concern. 




Appeals from notices are heard by the First–tier Tribunal (Information Rights), part of the General Regulatory Chamber (GRC). The First–tier Tribunal (Information Rights) specifically hears appeals of enforcement notices, information notices and monetary penalty notices issued by the Information Commissioner.