The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

In more detail

What enforcement powers does the ICO have?

Anyone has the right to make a complaint to the ICO about an infringement of the data protection legislation in relation to their personal data. For example, if a controller fails to comply with a SAR.

In appropriate cases, the ICO may take action against a controller or processor if they fail to comply with data protection legislation. For example, we could issue a controller or processor with a:

  • warning;
  • reprimand;
  • enforcement notice; or
  • penalty notice.

The ICO will exercise these enforcement powers in accordance with our Regulatory Action Policy.

Whilst a processor does not have any obligations under Article 15, under Article 28 the controller and processor must have a contract in place. The contract must state that the processor will assist the controller with their obligations to comply with a SAR by taking appropriate technical and organisational measures, as far as this is possible (taking into account the nature of the processing). For more information please read our guidance on contracts between controllers and processors.

Can a court order be used to enforce a SAR?

If you fail to comply with a SAR, the requester may apply for a court order requiring you to comply. It is a matter for the court to decide, in each particular case, whether to make such an order.

Can an individual be awarded compensation?

If an individual suffers damage or distress because you have infringed their data protection rights – including by failing to comply with a SAR – they are entitled to claim compensation from you. Only the courts can enforce their right to compensation. However, they may seek to settle their claim with you directly first before starting court proceedings. You will not be liable to pay compensation if you can prove that you are not responsible in any way for the event giving rise to the damage.

Is it a criminal offence to force an individual to make a SAR?

Usually. It is a criminal offence to require an individual to make a SAR, in certain circumstances and in relation to certain information. For more information please see ‘Can we force an individual to make a SAR?’.

Is it a criminal offence to destroy and conceal information?

Yes. It is a criminal offence to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of all or part of the information a person making a SAR would have been entitled to receive.

You can defend this offence if you prove that:

  • the alteration, defacing, blocking, erasure, destruction or concealment of the information would have happened regardless of whether the individual made a SAR; or
  • you acted in the reasonable belief that the person making the SAR was not entitled to receive the information requested.