The ICO exists to empower you through information.

In detail

What enforcement powers does the ICO have?

Anyone has the right to make a complaint to the ICO about an infringement of the data protection legislation in relation to their personal information. For example, if an organisation fails to comply with a SAR or their duty to give someone enough information to allow them to make a SAR.

In these circumstances, the person can ask the ICO to check that the organisation acted lawfully in refusing their SAR or restricting any of their rights.  

In appropriate cases, we may take action against a controller or processor if they fail to comply with data protection legislation. For example, we could issue a controller or processor with a:

  • warning;
  • reprimand;
  • enforcement notice; or
  • penalty notice.

The ICO will exercise these enforcement powers in accordance with our Regulatory Action Policy.

Although a processor does not have any obligations under section 45 of the DPA 2018, under section 59 the controller and processor must have a contract in place. The contract must state that the processor will assist the controller with their obligations to comply with a SAR by taking appropriate technical and organisational measures, as far as this is possible (taking into account the nature of the processing).

If you are a joint controller, you are only liable to the extent you are responsible for the specific action in question, under the terms of the joint arrangements. Joint controllers must ensure you make appropriate joint arrangements for dealing with SARs.

Bear in mind that we may issue an information notice or assessment notice against any person.

Can a court order be used to enforce a SAR?

If you fail to comply with a SAR, the requester may apply for a court order requiring you to comply. It is a matter for the court to decide, in each particular case, whether to make such an order.

If you are a joint controller, bear in mind that a court may only make an order against you, to the extent you are responsible for the specific action in question, in accordance with the terms of the joint arrangements.

Can people be awarded compensation?

If someone suffers damage or distress (including financial loss) because an organisation has infringed their data protection rights (including failing to comply with a SAR) they are entitled to claim compensation from them. They are only able to claim compensation from the processor if it has not complied with any of its statutory obligations, or has acted outside or contrary to the controller’s instructions.

If you are a joint controller, and your responsibilities for SARs are covered in your joint arrangements, you will only be liable if you are responsible for complying with the provision which has been contravened, in accordance with the terms of the joint arrangements.

Only the courts can enforce a person’s right to compensation. However, they may seek to settle their claim with you directly first before starting court proceedings. You will not be liable to pay compensation if you can prove that you are not responsible in any way for the event giving rise to the damage.

Is it a criminal offence to destroy and conceal information?

Yes. It is a criminal offence to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of all or part of the information a person making a SAR would have been entitled to receive.

It is a defence, if you can prove that:

  • the alteration, defacing, blocking, erasure, destruction or concealment of the information would have happened regardless of whether someone made a SAR; or
  • you acted in the reasonable belief that the person making the SAR was not entitled to receive the information requested.