The Information Commissioner’s Office (ICO) has launched a consultation to gather the views of stakeholders and the public on how it regulates the laws it monitors and enforces.
People will have 14 weeks to comment on three documents, which are all designed to give direction and focus to the organisations it regulates.
The Regulatory Action Policy (RAP) updates the ICO’s 2018 policy and sets out the regulator’s general approach. It reinforces the ICO’s commitment to a proportionate and risk-based approach to enforcement, and it explains the factors taken into consideration before taking regulatory action such as monetary penalties, stop-processing orders or compulsory audits.
It also sets out how the ICO promotes best practice and ensures compliance and how it works with other regulators.
The RAP covers all 11 pieces of legislation that the ICO is responsible for including the UK GDPR, Data Protection Act 2018, Freedom of Information Act and the Privacy and Electronic Communications Regulations which cover nuisance calls, texts and emails.
Statutory Guidance on our Regulatory Action focusses on the sections in DPA 2018 that specify the ICO’s legal obligations to publish guidance to help organisations navigate the law. It also explains how the ICO uses its statutory powers to investigate and enforce UK information rights legislation.
Statutory Guidance on our PECR Powers explains how the ICO uses its statutory powers to enforce the data protection legislation relating to electronic communications like nuisance calls, emails and texts. The guidance focusses on the ICO’s powers to issue monetary penalty notices on a person, or an officer of a body, for data protection failures in respect of the PECR. This is a power that has recently been incorporated into law.
Taken together, these three documents set out how the ICO aims to carry out its mission to uphold information rights for the UK public in the digital age.
Chief Regulatory Officer James Dipple-Johnstone said:
“Information rights have never been more important or impactful. Now more than ever, we support innovation and economic growth, but both require the public to have trust in the way their personal information is used.
“We are focussed on promoting best practice and compliance but, where it is necessary, we will exercise a fair and proportionate approach to enforcement action.”
The ICO is inviting comments about how it exercises its regulatory responsibilities and statutory powers from individuals and organisations. Contributing views is easy through an online survey or via email. You can get more detailed information about the documents and how to feed back on the ICO website. Responses to the documents will be considered before final publication.
While the UK Government is considering changes to the current data protection regime, the ICO will continue to update its policies when it is both necessary and appropriate. The three documents, which are being consulted on, reflect the current regulatory landscape and are not time limited.
Publication of final documents, which is expected by the end of 2022, will be overseen by the new UK Information Commissioner. The Statutory Guidance documents must also be ratified by the Secretary of State for Digital, Culture, Media and Sport before being laid to Parliament.
Notes to editors
- The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the UK General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five Acts / Regulations.
- Monetary Penalties are subject to a right of appeal to the (First-tier Tribunal) General Regulatory Chamber against the imposition of the monetary penalty and/or the amount of the penalty specified in the monetary penalty notice.
- Monetary Penalties under past and current law are subject to a right of appeal to the (First-tier Tribunal) General Regulatory Chamber against the imposition of the monetary penalty and/or the amount of the penalty specified in the monetary penalty notice.
- Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by the Information Commissioner’s Office (ICO).
- To report a concern to the ICO, visit ico.org.uk/concerns.