ICO (UK): Difference between revisions
m ({{DataProtectionAuthorities}}) |
No edit summary |
||
| (2 intermediate revisions by 2 users not shown) | |||
| Line 14: | Line 14: | ||
|Head:||Elizabeth Denham | |Head:||Elizabeth Denham | ||
|- | |- | ||
|Deputy:|| | |Deputy:||James Dipple-Johnstone | ||
|- | |- | ||
|Adress:||Water Lane, Wycliffe House | |Adress:||Water Lane, Wycliffe House | ||
Wilmslow - Cheshire SK9 5AF | Wilmslow - Cheshire | ||
SK9 5AF | |||
UNITED KINGDOM | UNITED KINGDOM | ||
| Line 28: | Line 30: | ||
|Phone:||+44 1625 545 700 | |Phone:||+44 1625 545 700 | ||
|- | |- | ||
|Twitter:|| | |Twitter:||https://twitter.com/ICOnews | ||
|- | |- | ||
|Procedural Law:|| | |Procedural Law:||[https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted Data Protection Act 2018] | ||
|- | |- | ||
|Decision Database:|| | |Decision Database:||[https://ico.org.uk/action-weve-taken/ Actions by the ICO] | ||
|- | |- | ||
|Translated Decisions:||[[:Category:ICO (UK)]] | |Translated Decisions:||[[:Category:ICO (UK)]] | ||
|- | |- | ||
|Head Count:|| | |Head Count:||768 permanent staff | ||
(as of 31 March 2020) | |||
|- | |- | ||
|Budget:|| | |Budget:||[https://ico.org.uk/media/about-the-ico/documents/2618021/annual-report-2019-20-v83-certified.pdf app. £61m for 2020/2021] | ||
|} | |} | ||
The Information Commissioner’s Office (''Information Commissioner’s Office'') is the national Data Protection Authority for United Kingdom. | The Information Commissioner’s Office (''Information Commissioner’s Office'') is the national Data Protection Authority for United Kingdom. The ICO is in charge of enforcing the GDPR in the United Kingdom. The requirement to have a data protection authority stems from Paragraph 114 of Part 5 of the Data Protection Act 2018, which is the national act implementing the GDPR in the UK. The ICO's head office is in Wilmslow, with it also having offices in Scotland, Wales, and Northern Ireland. The ICO is an executive non-departmental public body, sponsored by the [https://www.gov.uk/government/organisations/department-for-digital-culture-media-sport Department for Digital, Culture, Media & Sport]. | ||
To date, the largest fine issued by the ICO was a fine of £20 million against [https://ico.org.uk/action-weve-taken/enforcement/british-airways/ British Airways] for failing to protect the personal and financial details of more than 400,000 customers. Other notable GDPR fines include its £18.4 million fine against [https://ico.org.uk/action-weve-taken/enforcement/marriott-international-inc/ Marriott International] and £1.25 million fine against [https://ico.org.uk/action-weve-taken/enforcement/ticketmaster-uk-limited/ Ticketmaster UK Limited]. | |||
In the year 2019/2020, the ICO received 38,514 data protection complaints. Although the ICO closed a record-number of record 39,860 cases in 2019/2020, they have stated that they were not able to meet their target of resolving 80% of cases within 12 weeks, resolving only 74% instead. | |||
==Structure== | ==Structure== | ||
' | The current Information Commissioner at the ICO is Elizabeth Denham, who was appointed in 2016. Section 115 of Part 5 of the Data Protection Act 2018 sets out the general functions that are conferred upon the Commissioner. The Information Commissioner directly supervises the Deputy Commissioner and Chief Regulatory Officer (James Dipple-Johnstone), the Deputy Chief Executive and Chief Operating Officer (Paul Arnold), and the Deputy Commissioner for Regulatory Innovation and Technology (Simon McDougall). These three individuals then supervise the remainder of the Executive Team. | ||
As a Corporation Sole (a legal entity consisting of a single incorporated office), all formal powers and duties of the ICO rest with the Commissioner. However, the ICO has a Management Board, whose primary purpose is to assist the Information Commissioner in discharging her statutory responsibilities on a long-term and strategic basis. Further information about the ICO's decision making structure can be found [https://ico.org.uk/about-the-ico/who-we-are/decision-making-structure/ here]. | |||
==Procedural Information== | ==Procedural Information== | ||
===Applicable Procedural Law=== | ===Applicable Procedural Law=== | ||
'' | When the General Data Protection Regulation (GDPR) 2016/679 was enacted, it was transposed into national law through through the [https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted Data Protection Act 2018]. The Data Protection Act also implemented the EU Law Enforcement Directive (LED), and further extended data protection laws to areas not covered by the GDPR or the LED. | ||
The Data Protection Act 2018 is divided into four main regimes, each dealing with processing for a specific type or category of data. Part 1 deals with processing within the scope of the GDPR. Part 2 deals with processing outside of the scope of the GDPR. Part 3 deals with processing by competent authorities for law enforcement purposes. Part 4 deals with processing by the intelligence services. Apart from these four main parts, the act also includes Part 5, which speaks about the Information Commissioner, Part 6, which deals with enforcement, and Part 7, which provides some additional provisions. The Act then contains 20 Schedules, which elaborate on the different parts of the Act. | |||
However, it is unclear what the status of the GDPR will be during the UK's transition period out of the EU (in the context of Brexit). This is clear from Title VII (Articles 70-74) of the [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A12019W%2FTXT%2802%29 Agreement on the Withdrawal of the UK from the EU]. It also remains to be see if the UK will be granted an 'adequacy' decision, attesting that it has a level of protection for personal data essentially equivalent to that in the EU. | |||
===Complaints Procedure under Art 77 GDPR=== | ===Complaints Procedure under Art 77 GDPR=== | ||
The right of a data subject to lodge a complaint is found in Section 165 of Part 6 of the Act. It stipulates that a data subject can lodge a before the ICO if they consider that there has been an infringement of the GDPR with regards to their personal data. Section 165(3) stipulates that the Commissioner must facilitate the making of such complaints. If the Commissioner receives a complaint, they must: | |||
# take appropriate steps to respond to the complaint, | |||
# inform the complainant of the outcome of the complaint, | |||
# inform the complainant of their rights under section 166 of the Act, and | |||
# if asked to do so by the complainant, provide the complainant with further information about how to pursue the complaint. | |||
With regards to the taking of appropriate steps, Section 165(5) specifies that this means the ICO must (1) investigate the subject matter of the complaint, and (2) inform the complain on the progress of the complaint, including about whether further investigation or coordination with another supervisory authority or foreign designated authority is necessary. | |||
Section 166 also gives the data subject the right to progress a complaint if the ICO fails to handle the complaint. This includes: | |||
# failing to respond to the complaint, | |||
# failing to provide the complainant with information about progress on the complaint, or of the outcome of the complaint, before the end of the period of 3 months beginning when the Commissioner received the complaint, or | |||
# failing to provide the complainant with information during a subsequent period of 3 months if the Commissioner's consideration of the complainant was not concluded within the first three months. | |||
===''Ex Officio'' Procedures under Art 57 GDPR=== | ===''Ex Officio'' Procedures under Art 57 GDPR=== | ||
Section 115 of the Data Protection Act 2018 confers upon the Commissioner the tasks listed under Article 57 GDPR. However, the Act does not further elaborate on the scope of these tasks. The lists of tasks conferred upon the Commissioner include: | |||
* Monitoring and enforcing the application of the GDPR (including the handling of complaints) | |||
* Promoting public awareness and understanding of the risks, rules, safeguards and rights, in relation to processing | |||
* Providing information to data subjects about the exercise of their rights under the GDPR upon request | |||
* Cooperating with other Supervisory Authorities to ensure the consistent application of the GDPR | |||
* Keeping records of infringements of the GDPR and their corrective measures | |||
Therefore the ICO can investigate, audit, advise, and so forth, when it comes to breaches of obligations under the GDPR. This grants the ICO wider powers than it previously had under the Data Protection Act of 1998. | |||
The Data Protection Act 2018 subjects the powers of the ICO (which are listed in Article 58 GDPR) to certain safeguards, which are listed in Section 115(5)-(9) of the Act. For instance, Section 115(9) requires that the ICO issue a penalty notice where they want to impose an administrative fine. | |||
===Appeals=== | ===Appeals=== | ||
' | Section 166 of Part 6 of the Data Protection Act 2018 reflects a data subject's right to advance a complaint before a Tribunal if the ICO fails to take appropriate steps to respond to the complaint, fails to provide information within three months, or fails to provide the data subject with consideration of the complaint within three months. A Tribunal may order the ICO to take appropriate steps to respond to the complainant, or to inform the complainant of progress or the outcome of a complaint. | ||
Section 162 of Part 6 of the Data Protection Act 2018 grants the data subject the right to appeal to a Tribunal if they have been given a notice. A data subject should lodge a complaint at the First Tier Tribunal (Information Rights) within 28 calendar days of receiving the notice. If an appeal raises particularly complex or important issues, it may be transferred to the Upper Tribunal (Administrative Appeals) Chamber. The Upper Tribunal also hears appeals against decisions of the First Tier Tribunal (Information Rights). Appeals against decisions of the Upper Tribunal are heard in the Court of Appeal. | |||
==Practical Information== | ==Practical Information== | ||
Paragraph 167 of Part 6 of the Data Protection Act 2018 gives the data subject the right to claim a remedy in court. Although the GDPR gives the data subject a right to claim compensation from an organization if they have suffered damage as a result of it breaking data protection law, ICO cannot award compensation. Therefore, data subjects will have to go before a court to claim compensation. Typically, this claim will first take place before the Small Claims Court. | |||
The ICO is also competent to enforce the [https://www.legislation.gov.uk/uksi/2003/2426/made Privacy and Electronic Communications (EC Directive) Regulations 2003], which is the Statutory Instrument that implemented the [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058 ePrivacy Directive 2002/58/EC]. The Privacy and Electronic Communications Regulations (PECR in short) operates alongside the Data Protection Act 2018 and the GDPR, and gives people specific privacy rights in relation to electronic communications. In particular, it regulates marketing calls, emails and texts, cookies, customer privacy as regards traffic and location data, and helps to keep communications services secure. The powers granted to the ICO to enforce the PECR include the provision of monetary penalties, criminal prosecution, non-criminal enforcement and audit. | |||
==Statistics== | ==Statistics== | ||
{{DataProtectionAuthorities}} | *Number of data protection complaints received in 2019/2020: '''38,514''' | ||
*Number of data protection complaints received in 2018/2019: '''41,661''' | |||
*Number of data protection complaints closed in 2019/2020: '''39,860''' | |||
*Number of data protection complaints closed in 2018/2019: '''34,684''' | |||
*Number of Freedom of Information complaints received in 2019/2020: '''6,367''' | |||
*Number of Freedom of Information complaints received in 2018/2019: '''6,418''' | |||
*Number of personal data breaches complaints closed in 2019/2020: '''12,789''' | |||
*Percentage of cases concerning personal data breaches in which the ICO decided no action was needed: '''95%''' | |||
''[source: [https://ico.org.uk/media/about-the-ico/documents/2618021/annual-report-2019-20-v83-certified.pdf ICO Annual Report 2019/2020]]''{{DataProtectionAuthorities}} | |||
Revision as of 15:42, 25 November 2020
| Information Commissioner’s Office | |
|---|---|
 | |
| Name: | Information Commissioner’s Office |
| Abbreviation : | ICO |
| Jurisdiction: | United Kingdom |
| Head: | Elizabeth Denham |
| Deputy: | James Dipple-Johnstone |
| Adress: | Water Lane, Wycliffe House
Wilmslow - Cheshire SK9 5AF UNITED KINGDOM |
| Webpage: | ico.org.uk |
| Email: | casework@ico.org.uk |
| Phone: | +44 1625 545 700 |
| Twitter: | https://twitter.com/ICOnews |
| Procedural Law: | Data Protection Act 2018 |
| Decision Database: | Actions by the ICO |
| Translated Decisions: | Category:ICO (UK) |
| Head Count: | 768 permanent staff
(as of 31 March 2020) |
| Budget: | app. £61m for 2020/2021 |
The Information Commissioner’s Office (Information Commissioner’s Office) is the national Data Protection Authority for United Kingdom. The ICO is in charge of enforcing the GDPR in the United Kingdom. The requirement to have a data protection authority stems from Paragraph 114 of Part 5 of the Data Protection Act 2018, which is the national act implementing the GDPR in the UK. The ICO's head office is in Wilmslow, with it also having offices in Scotland, Wales, and Northern Ireland. The ICO is an executive non-departmental public body, sponsored by the Department for Digital, Culture, Media & Sport.
To date, the largest fine issued by the ICO was a fine of £20 million against British Airways for failing to protect the personal and financial details of more than 400,000 customers. Other notable GDPR fines include its £18.4 million fine against Marriott International and £1.25 million fine against Ticketmaster UK Limited.
In the year 2019/2020, the ICO received 38,514 data protection complaints. Although the ICO closed a record-number of record 39,860 cases in 2019/2020, they have stated that they were not able to meet their target of resolving 80% of cases within 12 weeks, resolving only 74% instead.
Structure
The current Information Commissioner at the ICO is Elizabeth Denham, who was appointed in 2016. Section 115 of Part 5 of the Data Protection Act 2018 sets out the general functions that are conferred upon the Commissioner. The Information Commissioner directly supervises the Deputy Commissioner and Chief Regulatory Officer (James Dipple-Johnstone), the Deputy Chief Executive and Chief Operating Officer (Paul Arnold), and the Deputy Commissioner for Regulatory Innovation and Technology (Simon McDougall). These three individuals then supervise the remainder of the Executive Team.
As a Corporation Sole (a legal entity consisting of a single incorporated office), all formal powers and duties of the ICO rest with the Commissioner. However, the ICO has a Management Board, whose primary purpose is to assist the Information Commissioner in discharging her statutory responsibilities on a long-term and strategic basis. Further information about the ICO's decision making structure can be found here.
Procedural Information
Applicable Procedural Law
When the General Data Protection Regulation (GDPR) 2016/679 was enacted, it was transposed into national law through through the Data Protection Act 2018. The Data Protection Act also implemented the EU Law Enforcement Directive (LED), and further extended data protection laws to areas not covered by the GDPR or the LED.
The Data Protection Act 2018 is divided into four main regimes, each dealing with processing for a specific type or category of data. Part 1 deals with processing within the scope of the GDPR. Part 2 deals with processing outside of the scope of the GDPR. Part 3 deals with processing by competent authorities for law enforcement purposes. Part 4 deals with processing by the intelligence services. Apart from these four main parts, the act also includes Part 5, which speaks about the Information Commissioner, Part 6, which deals with enforcement, and Part 7, which provides some additional provisions. The Act then contains 20 Schedules, which elaborate on the different parts of the Act.
However, it is unclear what the status of the GDPR will be during the UK's transition period out of the EU (in the context of Brexit). This is clear from Title VII (Articles 70-74) of the Agreement on the Withdrawal of the UK from the EU. It also remains to be see if the UK will be granted an 'adequacy' decision, attesting that it has a level of protection for personal data essentially equivalent to that in the EU.
Complaints Procedure under Art 77 GDPR
The right of a data subject to lodge a complaint is found in Section 165 of Part 6 of the Act. It stipulates that a data subject can lodge a before the ICO if they consider that there has been an infringement of the GDPR with regards to their personal data. Section 165(3) stipulates that the Commissioner must facilitate the making of such complaints. If the Commissioner receives a complaint, they must:
- take appropriate steps to respond to the complaint,
- inform the complainant of the outcome of the complaint,
- inform the complainant of their rights under section 166 of the Act, and
- if asked to do so by the complainant, provide the complainant with further information about how to pursue the complaint.
With regards to the taking of appropriate steps, Section 165(5) specifies that this means the ICO must (1) investigate the subject matter of the complaint, and (2) inform the complain on the progress of the complaint, including about whether further investigation or coordination with another supervisory authority or foreign designated authority is necessary.
Section 166 also gives the data subject the right to progress a complaint if the ICO fails to handle the complaint. This includes:
- failing to respond to the complaint,
- failing to provide the complainant with information about progress on the complaint, or of the outcome of the complaint, before the end of the period of 3 months beginning when the Commissioner received the complaint, or
- failing to provide the complainant with information during a subsequent period of 3 months if the Commissioner's consideration of the complainant was not concluded within the first three months.
Ex Officio Procedures under Art 57 GDPR
Section 115 of the Data Protection Act 2018 confers upon the Commissioner the tasks listed under Article 57 GDPR. However, the Act does not further elaborate on the scope of these tasks. The lists of tasks conferred upon the Commissioner include:
- Monitoring and enforcing the application of the GDPR (including the handling of complaints)
- Promoting public awareness and understanding of the risks, rules, safeguards and rights, in relation to processing
- Providing information to data subjects about the exercise of their rights under the GDPR upon request
- Cooperating with other Supervisory Authorities to ensure the consistent application of the GDPR
- Keeping records of infringements of the GDPR and their corrective measures
Therefore the ICO can investigate, audit, advise, and so forth, when it comes to breaches of obligations under the GDPR. This grants the ICO wider powers than it previously had under the Data Protection Act of 1998.
The Data Protection Act 2018 subjects the powers of the ICO (which are listed in Article 58 GDPR) to certain safeguards, which are listed in Section 115(5)-(9) of the Act. For instance, Section 115(9) requires that the ICO issue a penalty notice where they want to impose an administrative fine.
Appeals
Section 166 of Part 6 of the Data Protection Act 2018 reflects a data subject's right to advance a complaint before a Tribunal if the ICO fails to take appropriate steps to respond to the complaint, fails to provide information within three months, or fails to provide the data subject with consideration of the complaint within three months. A Tribunal may order the ICO to take appropriate steps to respond to the complainant, or to inform the complainant of progress or the outcome of a complaint.
Section 162 of Part 6 of the Data Protection Act 2018 grants the data subject the right to appeal to a Tribunal if they have been given a notice. A data subject should lodge a complaint at the First Tier Tribunal (Information Rights) within 28 calendar days of receiving the notice. If an appeal raises particularly complex or important issues, it may be transferred to the Upper Tribunal (Administrative Appeals) Chamber. The Upper Tribunal also hears appeals against decisions of the First Tier Tribunal (Information Rights). Appeals against decisions of the Upper Tribunal are heard in the Court of Appeal.
Practical Information
Paragraph 167 of Part 6 of the Data Protection Act 2018 gives the data subject the right to claim a remedy in court. Although the GDPR gives the data subject a right to claim compensation from an organization if they have suffered damage as a result of it breaking data protection law, ICO cannot award compensation. Therefore, data subjects will have to go before a court to claim compensation. Typically, this claim will first take place before the Small Claims Court.
The ICO is also competent to enforce the Privacy and Electronic Communications (EC Directive) Regulations 2003, which is the Statutory Instrument that implemented the ePrivacy Directive 2002/58/EC. The Privacy and Electronic Communications Regulations (PECR in short) operates alongside the Data Protection Act 2018 and the GDPR, and gives people specific privacy rights in relation to electronic communications. In particular, it regulates marketing calls, emails and texts, cookies, customer privacy as regards traffic and location data, and helps to keep communications services secure. The powers granted to the ICO to enforce the PECR include the provision of monetary penalties, criminal prosecution, non-criminal enforcement and audit.
Statistics
- Number of data protection complaints received in 2019/2020: 38,514
- Number of data protection complaints received in 2018/2019: 41,661
- Number of data protection complaints closed in 2019/2020: 39,860
- Number of data protection complaints closed in 2018/2019: 34,684
- Number of Freedom of Information complaints received in 2019/2020: 6,367
- Number of Freedom of Information complaints received in 2018/2019: 6,418
- Number of personal data breaches complaints closed in 2019/2020: 12,789
- Percentage of cases concerning personal data breaches in which the ICO decided no action was needed: 95%
[source: ICO Annual Report 2019/2020]
| EU/EEA/UK Data Protection Authorities | |
|---|---|
| Austria · Belgium · Bulgaria · Croatia · Cyprus · Czech Republic · Denmark · Estonia · Finland (Åland) · France · Germany (Baden-Württemberg · Bavaria, private sector · Bavaria, public sector · Berlin · Brandenburg · Bremen · Hamburg · Hesse · Lower Saxony · Mecklenburg-Vorpommern · North Rhine-Westphalia · Rhineland-Palatinate · Saarland · Saxony · Saxony-Anhalt · Schleswig-Holstein · Thuringia ) · Greece · Hungary · Ireland · Italy · Latvia · Lithuania · Luxembourg · Malta · Netherlands · Poland · Portugal · Romania · Slovakia · Slovenia · Spain (Basque Country · Catalonia · Andalusia)· Sweden | |
| Iceland · Liechtenstein · Norway · United Kingdom | EDPS · EDPB |
