ICO (UK)

From GDPRhub
Information Commissioner’s Office
ICOLOGO.png
Name: Information Commissioner’s Office
Abbreviation: ICO
Jurisdiction: United Kingdom
Head: Elizabeth Denham
Deputy: James Dipple-Johnstone
Address: Water Lane, Wycliffe House

Wilmslow - Cheshire

SK9 5AF

UNITED KINGDOM

Webpage: ico.org.uk
Email: icocasework@ico.org.uk
Phone: +44 1625 545 700
Twitter: https://twitter.com/ICOnews
Procedural Law: Data Protection Act 2018
Decision Database: Actions by the ICO
Translated Decisions: Category:ICO (UK)
Head Count: 822 permanent staff

(as of 31 March 2021)

Budget: app. £69m for 2021/2022

The Information Commissioner’s Office (Information Commissioner’s Office) is the national Data Protection Authority for United Kingdom. The ICO is in charge of enforcing the GDPR in the United Kingdom. The requirement to have a data protection authority stems from Paragraph 114 of Part 5 of the Data Protection Act 2018, which is the national act implementing the GDPR in the UK. The ICO's head office is in Wilmslow, with it also having offices in Scotland, Wales, and Northern Ireland. The ICO is an executive non-departmental public body, sponsored by the Department for Digital, Culture, Media & Sport.

Structure

The current Information Commissioner at the ICO is Elizabeth Denham, who was appointed in 2016. Section 115 of Part 5 of the Data Protection Act 2018 sets out the general functions that are conferred upon the Commissioner. The Information Commissioner directly supervises the Deputy Commissioner and Chief Regulatory Officer (James Dipple-Johnstone), the Deputy Chief Executive and Chief Operating Officer (Paul Arnold), and the Deputy Commissioner for Regulatory Innovation and Technology (Simon McDougall). These three individuals then supervise the remainder of the Executive Team.

As a Corporation Sole (a legal entity consisting of a single incorporated office), all formal powers and duties of the ICO rest with the Commissioner. However, the ICO has a Management Board, whose primary purpose is to assist the Information Commissioner in discharging her statutory responsibilities on a long-term and strategic basis. Further information about the ICO's decision making structure can be found here.

Applicable Material Law in the UK

When the General Data Protection Regulation (GDPR) 2016/679 was enacted, it was transposed into national law through the Data Protection Act 2018. The Data Protection Act also implemented the EU Law Enforcement Directive (LED), and further extended data protection laws to areas not covered by the GDPR or the LED.

The Data Protection Act 2018 is divided into four main regimes, each dealing with processing for a specific type or category of data. Part 1 deals with processing within the scope of the GDPR. Part 2 deals with processing outside of the scope of the GDPR. Part 3 deals with processing by competent authorities for law enforcement purposes. Part 4 deals with processing by the intelligence services. Apart from these four main parts, the act also includes Part 5, which speaks about the Information Commissioner, Part 6, which deals with enforcement, and Part 7, which provides some additional provisions. The Act then contains 20 Schedules, which elaborate on the different parts of the Act.

Procedural Information

Applicable Procedural Law

The UK does not have a general procedural act or law. This is usually governed by the common law. Procedures are also governed by the provisions of the Data Protection Act 2018 (see Part 5 for provisions relating to the ICO's role).

Complaints Procedure under Art 77 GDPR

The right of a data subject to lodge a complaint is found in Section 165 of Part 6 of the Data Protection Act 2018. It stipulates that a data subject can lodge a complaint before the ICO if they consider that there has been an infringement of the GDPR with regards to their personal data. Section 165(3) stipulates that the Commissioner must facilitate the making of such complaints. If the Commissioner receives a complaint, they must:

  1. take appropriate steps to respond to the complaint,
  2. inform the complainant of the outcome of the complaint,
  3. inform the complainant of their rights under section 166 of the Act, and
  4. if asked to do so by the complainant, provide the complainant with further information about how to pursue the complaint.

With regards to taking appropriate steps, Section 165(5) specifies that this means the ICO must (1) investigate the subject matter of the complaint, and (2) inform the complain on the progress of the complaint, including about whether further investigation or coordination with another supervisory authority or foreign designated authority is necessary.

Section 166 also gives the data subject the right to progress a complaint if the ICO fails to handle the complaint. This includes:

  1. failing to respond to the complaint,
  2. failing to provide the complainant with information about progress on the complaint, or of the outcome of the complaint, before the end of the period of 3 months beginning when the Commissioner received the complaint, or
  3. failing to provide the complainant with information during a subsequent period of 3 months if the Commissioner's consideration of the complainant was not concluded within the first three months.

Ex Officio Procedures under Art 57 GDPR

Section 115 of the Data Protection Act 2018 confers upon the Commissioner the tasks listed under Article 57 GDPR. However, the Act does not further elaborate on the scope of these tasks. The lists of tasks conferred upon the Commissioner include:

  • Monitoring and enforcing the application of the GDPR (including the handling of complaints)
  • Promoting public awareness and understanding of the risks, rules, safeguards and rights, in relation to processing
  • Providing information to data subjects about the exercise of their rights under the GDPR upon request
  • Cooperating with other Supervisory Authorities to ensure the consistent application of the GDPR
  • Keeping records of infringements of the GDPR and their corrective measures

Therefore the ICO can investigate, audit, advise, and so forth, when it comes to breaches of obligations under the GDPR. This grants the ICO wider powers than it previously had under the Data Protection Act of 1998.

The Data Protection Act 2018 subjects the powers of the ICO (which are listed in Article 58 GDPR) to certain safeguards, which are listed in Section 115(5)-(9) of the Act. For instance, Section 115(9) requires that the ICO issue a penalty notice where they want to impose an administrative fine.

Appeals

Section 166 of Part 6 of the Data Protection Act 2018 reflects a data subject's right to advance a complaint before a Tribunal if the ICO fails to take appropriate steps to respond to the complaint, fails to provide information within three months, or fails to provide the data subject with consideration of the complaint within three months. A Tribunal may order the ICO to take appropriate steps to respond to the complainant, or to inform the complainant of progress or the outcome of a complaint.

According to Section 162 of Part 6 of the Data Protection Act 2018 a party can appeal to the Tribunal for: a) an information notice, b) an assessment notice, c) an enforcement notice, d) a penalty notice and a e) penalty variation notice imposed.

Section 205 specifies that this "Tribunal" will, in most cases, be the First Tier Tribunal (Information Rights). If an appeal raises particularly complex or important issues, it may be transferred to the Upper Tribunal (Administrative Appeals) Chamber. The Upper Tribunal also hears appeals against decisions of the First Tier Tribunal (Information Rights). Appeals against decisions of the Upper Tribunal are heard in the Court of Appeal.

Practical Information

Filing a complaint

The ICO provides various standards forms, depending on the subject matter of your complaint:

  • The standard form for a complaint is called a "Personal Information Concern" on this ICO website. Such a concern relates to "Accessing your personal information" or "Other concerns" (e.g. handling of personal data, wrong information, loss of information etc) is available here.
  • The standard forms for "Nuisance calls and messages" is available on the ICO website. There, you will be able to select which type of complaint you are making.
  • The standard form for "Concerns about cookies" is available here.
  • The standard form for "Internet search results" enables you to exercise your right to be forgotten. It is available here. You will have to first contact the search provider with this request and wait for their final and full decision before making a complaint.

Once a complaint has been received, the ICO proceeds by gathering facts and collating similar concerns against the organisation. The ICO will take action against the organisation where there is a clear and serious breach of the law applicable.

Known problems

Please be aware that for "Personal Information Concerns", the ICO standard form will require you to contact the organisation responsible in writing and wait a period of 1 month (if you have no response) before filling a complaint. There seems to be no legal basis for this requirement in the GDPR.

It is unclear what the status of the GDPR will be during the UK's transition period out of the EU (in the context of Brexit). This is clear from Title VII (Articles 70-74) of the Agreement on the Withdrawal of the UK from the EU. It also remains to be see if the UK will be granted an 'adequacy' decision, attesting that it has a level of protection for personal data essentially equivalent to that in the EU.

Filing an appeal

As mentioned above, Section 162 of Part 6 of the Data Protection Act 2018 grants the data subject the right to appeal to a Tribunal if they have been given a notice. A data subject should lodge a complaint at the First Tier Tribunal (Information Rights) within 28 calendar days of receiving the notice.

To file an appeal before the First-tier Tribunal (General Regulatory Chamber), you must fill in a form and send it by email or post. A detailed guidance on how to complete the form and where to send it is available here.

Filing a lawsuit

Paragraph 167 of Part 6 of the Data Protection Act 2018 gives the data subject the right to claim a remedy in court. Although the GDPR gives the data subject a right to claim compensation from an organization if they have suffered damage as a result of it breaking data protection law, ICO cannot award compensation. Therefore, data subjects will have to go before a court to claim compensation. Typically, this claim will first take place before the Small Claims Court.

What if the court has to determine a matter of EU law?

The EWCA in Open Rights Group v Secretary of State for the Home Department helpfully summarised the approach to be taken by courts per section 6 of EUWA and in The European Union (Withdrawal) Act 2018 (Relevant Court) (Retained EU Case Law) Regulations 2020, SI 2020 No 1525:

(1) A UK court must now decide any question as to the validity, meaning or effect of any retained EU law for itself: it is no longer possible to refer any matter to the CJEU: EUWA s 6(1)(b).

(2) But the general rule is that the court must decide any such question in accordance with any retained case law and any retained general principles of EU law that are relevant: EUWA s.6(3). "Retained EU case law" and "retained general principles" mean principles laid down and decisions made by the CJEU before IP completion day.

(3) When it comes to principles laid down or decisions made by the CJEU after IP completion day, the court is not bound (EUWA s 6(1)) but "may have regard" to them (EUWA s 6(2)).

(4) The position is different in a "relevant court", which includes the Court of Appeal. Subject to an exception that does not apply here, a relevant court is not absolutely bound by any retained EU case law: EUWA s.6(4)(ba) and Regulations 1 and 4. It can depart from that law; but the test to be applied in deciding whether to do so is "the same test as the Supreme Court would apply in deciding whether to depart from the case law of the Supreme Court": EUWA 6(5A)(c) and Regulation 5.

(5) The test the Supreme Court applies is the one laid down by the House of Lords in its Practice Statement [1966] 1 WLR 1234, when Lord Gardiner LC said this:

"Their Lordships regard the use of precedent as an indispensable foundation upon which to decide what is the law and its application to individual cases. It provides at least some degree of certainty upon which individuals can rely in the conduct of their affairs, as well as a basis for orderly development of legal rules.

Their Lordships nevertheless recognise that too rigid adherence to precedent may lead to injustice in a particular case and also unduly restrict the proper development of the law. They propose, therefore, to modify their present practice and, while treating former decisions of this House as normally binding, to depart from a previous decision when it appears right to do so.

In this connection they will bear in mind the danger of disturbing retrospectively the basis on which contracts, settlements of property and fiscal arrangements have been entered into and also the especial need for certainty as to the criminal law.

This announcement is not intended to affect the use of precedent elsewhere than in this House."

ePrivacy Directive

The ICO is also competent to enforce the Privacy and Electronic Communications (EC Directive) Regulations 2003, which is the Statutory Instrument that implemented the ePrivacy Directive 2002/58/EC. The Privacy and Electronic Communications Regulations (PECR in short) operates alongside the Data Protection Act 2018 and the GDPR, and gives people specific privacy rights in relation to electronic communications. In particular, it regulates marketing calls, emails and texts, cookies, customer privacy as regards traffic and location data, and helps to keep communications services secure. The powers granted to the ICO to enforce the PECR include the provision of monetary penalties, criminal prosecution, non-criminal enforcement and audit.

Statistics

Funding

The ICO is the best-funded DPA in Europe with a total budget of €61m in 2019, according to a Brave study.[1]

Personal

The ICO had 680 staff in 2019, far outnumbering all other DPAs in Europe.[2]

Caseload

In the year 2019/2020, the ICO received 38,514 data protection complaints. Although the ICO closed a record-number of record 39,860 cases in 2019/2020, they have stated that they were not able to meet their target of resolving 80% of cases within 12 weeks, resolving only 74% instead.

  • Number of data protection complaints received in 2019/2020: 38,514
  • Number of data protection complaints received in 2018/2019: 41,661
  • Number of data protection complaints closed in 2019/2020: 39,860
  • Number of data protection complaints closed in 2018/2019: 34,684
  • Number of Freedom of Information complaints received in 2019/2020: 6,367
  • Number of Freedom of Information complaints received in 2018/2019: 6,418
  • Number of personal data breaches complaints closed in 2019/2020: 12,789
  • Percentage of cases concerning personal data breaches in which the ICO decided no action was needed: 95%

Fines

To date (November 2020), the largest fine issued by the ICO was a fine of £20 million against British Airways for failing to protect the personal and financial details of more than 400,000 customers. Other notable GDPR fines include its £18.4 million fine against Marriott International and £1.25 million fine against Ticketmaster UK Limited.

Annual Report

The ICO publishes an Annual Report. For the 2020 report, see ICO Annual Report 2020/2021.

EU/EEA/UK Data Protection Authorities
Austria · Belgium · Bulgaria · Croatia · Cyprus · Czech Republic · Denmark · Estonia · Finland (Åland) · France · Germany (Baden-Württemberg · Bavaria, private sector · Bavaria, public sector · Berlin · Brandenburg · Bremen · Hamburg · Hesse · Lower Saxony · Mecklenburg-Vorpommern · North Rhine-Westphalia · Rhineland-Palatinate · Saarland · Saxony · Saxony-Anhalt · Schleswig-Holstein · Thuringia ) · Greece · Hungary · Ireland · Italy · Latvia · Lithuania · Luxembourg · Malta · Netherlands · Poland · Portugal · Romania · Slovakia · Slovenia · Spain (Basque Country · Catalonia · AndalusiaSweden
Iceland · Liechtenstein · Norway · United Kingdom EDPS · EDPB
  1. Brave Study "Europe’s governments are failing the GDPR", Page 6 - https://brave.com/wp-content/uploads/2020/04/Brave-2020-DPA-Report.pdf
  2. Brave Study "Europe’s governments are failing the GDPR", Page 4 - https://brave.com/wp-content/uploads/2020/04/Brave-2020-DPA-Report.pdf