ICO (UK)

From GDPRhub
Revision as of 14:30, 25 November 2020 by 10.90.129.134 (talk)
Information Commissioner’s Office
ICOLOGO.png
Name: Information Commissioner’s Office
Abbreviation : ICO
Jurisdiction: United Kingdom
Head: Elizabeth Denham
Deputy: James Dipple-Johnstone
Adress: Water Lane, Wycliffe House

Wilmslow - Cheshire

SK9 5AF

UNITED KINGDOM

Webpage: ico.org.uk
Email: casework@ico.org.uk
Phone: +44 1625 545 700
Twitter: https://twitter.com/ICOnews
Procedural Law: Data Protection Act 2018
Decision Database: Actions by the ICO
Translated Decisions: Category:ICO (UK)
Head Count: 768 permanent staff

(as of 31 March 2020)

Budget: app. £61m for 2020/2021

The Information Commissioner’s Office (Information Commissioner’s Office) is the national Data Protection Authority for United Kingdom. The ICO is in charge of enforcing the GDPR in the United Kingdom. The requirement to have a data protection authority stems from Paragraph 114 of Part 5 of the Data Protection Act 2018, which is the national act implementing the GDPR in the UK. The ICO's head office is in Wilmslow, with it also having offices in Scotland, Wales, and Northern Ireland. The ICO is an executive non-departmental public body, sponsored by the Department for Digital, Culture, Media & Sport.

To date, the largest fine issued by the ICO was a fine of £20 million against British Airways for failing to protect the personal and financial details of more than 400,000 customers. Other notable GDPR fines include its £18.4 million fine against Marriott International and £1.25 million fine against Ticketmaster UK Limited.

In the year 2019/2020, the ICO received 38,514 data protection complaints. Although the ICO closed a record-number of record 39,860 cases in 2019/2020, they have stated that they were not able to meet their target of resolving 80% of cases within 12 weeks, resolving only 74% instead.

Structure

The current Information Commissioner at the ICO is Elizabeth Denham, who was appointed in 2016. Paragraph 115 of Part 5 of the Data Protection Act 2018 sets out the general functions that are conferred upon the Commissioner. The Information Commissioner directly supervises the Deputy Commissioner and Chief Regulatory Officer (James Dipple-Johnstone), the Deputy Chief Executive and Chief Operating Officer (Paul Arnold), and the Deputy Commissioner for Regulatory Innovation and Technology (Simon McDougall). These three individuals then supervise the remainder of the Executive Team.

As a Corporation Sole (a legal entity consisting of a single incorporated office), all formal powers and duties of the ICO rest with the Commissioner. However, the ICO has a Management Board, whose primary purpose is to assist the Information Commissioner in discharging her statutory responsibilities on a long-term and strategic basis. Further information about the ICO's decision making structure can be found here.

Procedural Information

Applicable Procedural Law

When the General Data Protection Regulation (GDPR) 2016/679 was enacted, it was transposed into national law through through the Data Protection Act 2018. The Data Protection Act also implemented the EU Law Enforcement Directive (LED), and further extended data protection laws to areas not covered by the GDPR or the LED. The Act is divided into four main regimes, each dealing with processing for a specific type or category of data. Part 1 deals with processing within the scope of the GDPR. Part 2 deals with processing outside of the scope of the GDPR. Part 3 deals with processing by competent authorities for law enforcement purposes. Part 4 deals with processing by the intelligence services. Apart from these four main parts, the act also includes Part 5, which speaks about the Information Commissioner, Part 6, which deals with enforcement, and Part 7, which provides some additional provisions.


The application of the GDPR is, however, limited during the UK's transition period out of the EU (in the context of Brexit). This is clear from Title VII (Articles 70-74) of the Agreement on the Withdrawal of the UK from the EU.

Complaints Procedure under Art 77 GDPR

You can help us filling this section!

Ex Officio Procedures under Art 57 GDPR

You can help us filling this section!

Appeals

Paragraph 166 of Part 6 of the Data Protection Act 2018 reflects a data subject's right to advance a complaint before a Tribunal if the ICO fails to take appropriate steps to respond to the complaint, fails to provide information within three months, or fails to provide the data subject with consideration of the complaint within three months. A Tribunal may order the ICO to take appropriate steps to respond to the complainant, or to inform the complainant of progress or the outcome of a complaint.

Paragraph 162 of Part 6 of the Data Protection Act 2018 grants the data subject the right to appeal to a Tribunal if they have been given a notice. A data subject should lodge a complaint at the First Tier Tribunal (Information Rights) within 28 calendar days of receiving the notice. If an appeal raises particularly complex or important issues, it may be transferred to the Upper Tribunal (Administrative Appeals) Chamber. The Upper Tribunal also hears appeals against decisions of the First Tier Tribunal (Information Rights). Appeals against decisions of the Upper Tribunal are heard in the Court of Appeal.

Practical Information

The ICO is also competent to enforce the Privacy and Electronic Communications (EC Directive) Regulations 2003, which is the Statutory Instrument that implemented the ePrivacy Directive 2002/58/EC. The Privacy and Electronic Communications Regulations (PECR in short) operates alongside the Data Protection Act 2018 and the GDPR, and gives people specific privacy rights in relation to electronic communications. In particular, it regulates marketing calls, emails and texts, cookies, customer privacy as regards traffic and location data, and helps to keep communications services secure. The powers granted to the ICO to enforce the PECR include the provision of monetary penalties, criminal prosecution, non-criminal enforcement and audit.

Statistics

  • Number of data protection complaints received in 2019/2020: 38,514
  • Number of data protection complaints received in 2018/2019: 41,661
  • Number of data protection complaints closed in 2019/2020: 39,860
  • Number of data protection complaints closed in 2018/2019: 34,684
  • Number of Freedom of Information complaints received in 2019/2020: 6,367
  • Number of Freedom of Information complaints received in 2018/2019: 6,418
  • Number of personal data breaches complaints closed in 2019/2020: 12,789
  • Percentage of cases concerning personal data breaches in which the ICO decided no action was needed: 95%

[source: ICO Annual Report 2019/2020]

EU/EEA/UK Data Protection Authorities
Austria · Belgium · Bulgaria · Croatia · Cyprus · Czech Republic · Denmark · Estonia · Finland (Åland) · France · Germany (Baden-Württemberg · Bavaria, private sector · Bavaria, public sector · Berlin · Brandenburg · Bremen · Hamburg · Hesse · Lower Saxony · Mecklenburg-Vorpommern · North Rhine-Westphalia · Rhineland-Palatinate · Saarland · Saxony · Saxony-Anhalt · Schleswig-Holstein · Thuringia ) · Greece · Hungary · Ireland · Italy · Latvia · Lithuania · Luxembourg · Malta · Netherlands · Poland · Portugal · Romania · Slovakia · Slovenia · Spain (Basque Country · Catalonia · AndalusiaSweden
Iceland · Liechtenstein · Norway · United Kingdom EDPS · EDPB