There are a number of tools available to the Information Commissioner’s Office for taking action to change the behaviour of anyone who breaches the Privacy and Electronic Communications Regulations (PECR). They include criminal prosecution, non-criminal enforcement and audit. The Information Commissioner also has the power to serve a monetary penalty notice imposing a fine of up to £500,000.
These powers are not mutually exclusive. We will use them in combination where justified by the circumstances.
- issue an undertaking committing an organisation to a particular course of action in order to improve its compliance;
- conduct an audit to check a service provider is complying with its security obligations, and make recommendations;
- serve an enforcement notice or ‘stop now’ order where there has been a breach, requiring an organisation to take specified steps to comply with the law. Failure to comply is a criminal offence;
- issue a Monetary Penalty Notice, requiring an organisation to pay up to £500,000 for serious breaches;
- impose a fixed penalty of £1,000 on a service provider who fails to notify us of a security breach;
- apply to the court for an order under section 213 of the Enterprise Act 2002 requiring a person to cease conduct harmful to consumers;
- prosecute if the breach also involves a criminal offence under the Data Protection Act, or if an organisation fails to comply with an Enforcement Notice (except in Scotland, where the Procurator Fiscal brings prosecutions); and
- report to Parliament on issues of concern.
On 6 April 2015 the threshold for issuing monetary penalties under PECR changed. An amendment to the Regulations removed the requirement for the ICO to consider whether the contravention is likely to have caused substantial damage or substantial distress. The ICO will be able to issue a penalty for any serious contraventions of regulations 19 to 24 in PECR (these provisions cover automated calling and direct marketing). We are in process of updating the monetary penalties guidance issued under section 55C (1) of the Data Protection Act 1998, this will be published once the Secretary of State has been consulted and the guidance has been laid in Parliament. We will highlight the update in our e-newsletter and on the website.
For more information:
- Data protection regulatory action policy (pdf)
- ICO prosecution policy statement (pdf)
- Monetary penalties guidance (pdf)
- Internal procedure for issuing monetary penalty notices (pdf)
- Guide to ICO PECR audits (pdf)
- Audit programme for 2015-2016 (pdf)
Appeals from notices are heard by the First–tier Tribunal (Information Rights), part of the General Regulatory Chamber (GRC). The First–tier Tribunal (Information Rights) specifically hears appeals of enforcement notices and monetary penalty notices issued by the Information Commissioner.