ICO (UK): Difference between revisions

From GDPRhub
m (→‎Applicable Material Law in the UK: removed duplicate word "through")
Line 52: Line 52:


==Applicable Material Law in the UK==
==Applicable Material Law in the UK==
When the General Data Protection Regulation (GDPR) 2016/679 was enacted, it was transposed into national law through through the [https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted Data Protection Act 2018]. The Data Protection Act also implemented the EU Law Enforcement Directive (LED), and further extended data protection laws to areas not covered by the GDPR or the LED.   
When the General Data Protection Regulation (GDPR) 2016/679 was enacted, it was transposed into national law through the [https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted Data Protection Act 2018]. The Data Protection Act also implemented the EU Law Enforcement Directive (LED), and further extended data protection laws to areas not covered by the GDPR or the LED.   


The Data Protection Act 2018 is divided into four main regimes, each dealing with processing for a specific type or category of data. Part 1 deals with processing within the scope of the GDPR. Part 2 deals with processing outside of the scope of the GDPR. Part 3 deals with processing by competent authorities for law enforcement purposes. Part 4 deals with processing by the intelligence services. Apart from these four main parts, the act also includes Part 5, which speaks about the Information Commissioner, Part 6, which deals with enforcement, and Part 7, which provides some additional provisions. The Act then contains 20 Schedules, which elaborate on the different parts of the Act.   
The Data Protection Act 2018 is divided into four main regimes, each dealing with processing for a specific type or category of data. Part 1 deals with processing within the scope of the GDPR. Part 2 deals with processing outside of the scope of the GDPR. Part 3 deals with processing by competent authorities for law enforcement purposes. Part 4 deals with processing by the intelligence services. Apart from these four main parts, the act also includes Part 5, which speaks about the Information Commissioner, Part 6, which deals with enforcement, and Part 7, which provides some additional provisions. The Act then contains 20 Schedules, which elaborate on the different parts of the Act.   
Line 127: Line 127:
==Statistics==
==Statistics==


=== Funding ===
===Funding===
The ICO is the best-funded DPA in Europe with a total budget of €61m in 2019, according to a Brave study.<ref>Brave Study "Europe’s governments are  failing the GDPR", Page 6 - https://brave.com/wp-content/uploads/2020/04/Brave-2020-DPA-Report.pdf</ref>
The ICO is the best-funded DPA in Europe with a total budget of €61m in 2019, according to a Brave study.<ref>Brave Study "Europe’s governments are  failing the GDPR", Page 6 - https://brave.com/wp-content/uploads/2020/04/Brave-2020-DPA-Report.pdf</ref>


=== Personal ===
===Personal===
The ICO had 680 staff in 2019, far outnumbering all other DPAs in Europe.<ref>Brave Study "Europe’s governments are  failing the GDPR", Page 4 - https://brave.com/wp-content/uploads/2020/04/Brave-2020-DPA-Report.pdf</ref>
The ICO had 680 staff in 2019, far outnumbering all other DPAs in Europe.<ref>Brave Study "Europe’s governments are  failing the GDPR", Page 4 - https://brave.com/wp-content/uploads/2020/04/Brave-2020-DPA-Report.pdf</ref>


=== Caseload ===
===Caseload===
In the year 2019/2020, the ICO received 38,514 data protection complaints. Although the ICO closed a record-number of record 39,860 cases in 2019/2020, they have stated that they were not able to meet their target of resolving 80% of cases within 12 weeks, resolving only 74% instead.
In the year 2019/2020, the ICO received 38,514 data protection complaints. Although the ICO closed a record-number of record 39,860 cases in 2019/2020, they have stated that they were not able to meet their target of resolving 80% of cases within 12 weeks, resolving only 74% instead.


Line 145: Line 145:
*Percentage of cases concerning personal data breaches in which the ICO decided no action was needed: '''95%'''
*Percentage of cases concerning personal data breaches in which the ICO decided no action was needed: '''95%'''


=== Fines ===
===Fines===
To date (November 2020), the largest fine issued by the ICO was a fine of £20 million against [https://ico.org.uk/action-weve-taken/enforcement/british-airways/ British Airways] for failing to protect the personal and financial details of more than 400,000 customers. Other notable GDPR fines include its £18.4 million fine against [https://ico.org.uk/action-weve-taken/enforcement/marriott-international-inc/ Marriott International] and £1.25 million fine against [https://ico.org.uk/action-weve-taken/enforcement/ticketmaster-uk-limited/ Ticketmaster UK Limited].
To date (November 2020), the largest fine issued by the ICO was a fine of £20 million against [https://ico.org.uk/action-weve-taken/enforcement/british-airways/ British Airways] for failing to protect the personal and financial details of more than 400,000 customers. Other notable GDPR fines include its £18.4 million fine against [https://ico.org.uk/action-weve-taken/enforcement/marriott-international-inc/ Marriott International] and £1.25 million fine against [https://ico.org.uk/action-weve-taken/enforcement/ticketmaster-uk-limited/ Ticketmaster UK Limited].


=== Annual Report ===
===Annual Report===
The ICO publishes an Annual Report. For the 2019 report, see [https://ico.org.uk/media/about-the-ico/documents/2618021/annual-report-2019-20-v83-certified.pdf ICO Annual Report 2019/2020.]{{DataProtectionAuthorities}}
The ICO publishes an Annual Report. For the 2019 report, see [https://ico.org.uk/media/about-the-ico/documents/2618021/annual-report-2019-20-v83-certified.pdf ICO Annual Report 2019/2020.]{{DataProtectionAuthorities}}
<references />

Revision as of 06:38, 18 December 2020

Information Commissioner’s Office
ICOLOGO.png
Name: Information Commissioner’s Office
Abbreviation : ICO
Jurisdiction: United Kingdom
Head: Elizabeth Denham
Deputy: James Dipple-Johnstone
Adress: Water Lane, Wycliffe House

Wilmslow - Cheshire

SK9 5AF

UNITED KINGDOM

Webpage: ico.org.uk
Email: casework@ico.org.uk
Phone: +44 1625 545 700
Twitter: https://twitter.com/ICOnews
Procedural Law: Data Protection Act 2018
Decision Database: Actions by the ICO
Translated Decisions: Category:ICO (UK)
Head Count: 768 permanent staff

(as of 31 March 2020)

Budget: app. £61m for 2020/2021

The Information Commissioner’s Office (Information Commissioner’s Office) is the national Data Protection Authority for United Kingdom. The ICO is in charge of enforcing the GDPR in the United Kingdom. The requirement to have a data protection authority stems from Paragraph 114 of Part 5 of the Data Protection Act 2018, which is the national act implementing the GDPR in the UK. The ICO's head office is in Wilmslow, with it also having offices in Scotland, Wales, and Northern Ireland. The ICO is an executive non-departmental public body, sponsored by the Department for Digital, Culture, Media & Sport.

Structure

The current Information Commissioner at the ICO is Elizabeth Denham, who was appointed in 2016. Section 115 of Part 5 of the Data Protection Act 2018 sets out the general functions that are conferred upon the Commissioner. The Information Commissioner directly supervises the Deputy Commissioner and Chief Regulatory Officer (James Dipple-Johnstone), the Deputy Chief Executive and Chief Operating Officer (Paul Arnold), and the Deputy Commissioner for Regulatory Innovation and Technology (Simon McDougall). These three individuals then supervise the remainder of the Executive Team.

As a Corporation Sole (a legal entity consisting of a single incorporated office), all formal powers and duties of the ICO rest with the Commissioner. However, the ICO has a Management Board, whose primary purpose is to assist the Information Commissioner in discharging her statutory responsibilities on a long-term and strategic basis. Further information about the ICO's decision making structure can be found here.

Applicable Material Law in the UK

When the General Data Protection Regulation (GDPR) 2016/679 was enacted, it was transposed into national law through the Data Protection Act 2018. The Data Protection Act also implemented the EU Law Enforcement Directive (LED), and further extended data protection laws to areas not covered by the GDPR or the LED.

The Data Protection Act 2018 is divided into four main regimes, each dealing with processing for a specific type or category of data. Part 1 deals with processing within the scope of the GDPR. Part 2 deals with processing outside of the scope of the GDPR. Part 3 deals with processing by competent authorities for law enforcement purposes. Part 4 deals with processing by the intelligence services. Apart from these four main parts, the act also includes Part 5, which speaks about the Information Commissioner, Part 6, which deals with enforcement, and Part 7, which provides some additional provisions. The Act then contains 20 Schedules, which elaborate on the different parts of the Act.

Procedural Information

Applicable Procedural Law

The UK does not have a general procedural act or law. This is usually governed by the common law. Procedures are also governed by the provisions of the Data Protection Act 2018 (see Part 5 for provisions relating to the ICO's role).

Complaints Procedure under Art 77 GDPR

The right of a data subject to lodge a complaint is found in Section 165 of Part 6 of the Data Protection Act 2018. It stipulates that a data subject can lodge a before the ICO if they consider that there has been an infringement of the GDPR with regards to their personal data. Section 165(3) stipulates that the Commissioner must facilitate the making of such complaints. If the Commissioner receives a complaint, they must:

  1. take appropriate steps to respond to the complaint,
  2. inform the complainant of the outcome of the complaint,
  3. inform the complainant of their rights under section 166 of the Act, and
  4. if asked to do so by the complainant, provide the complainant with further information about how to pursue the complaint.

With regards to the taking of appropriate steps, Section 165(5) specifies that this means the ICO must (1) investigate the subject matter of the complaint, and (2) inform the complain on the progress of the complaint, including about whether further investigation or coordination with another supervisory authority or foreign designated authority is necessary.

Section 166 also gives the data subject the right to progress a complaint if the ICO fails to handle the complaint. This includes:

  1. failing to respond to the complaint,
  2. failing to provide the complainant with information about progress on the complaint, or of the outcome of the complaint, before the end of the period of 3 months beginning when the Commissioner received the complaint, or
  3. failing to provide the complainant with information during a subsequent period of 3 months if the Commissioner's consideration of the complainant was not concluded within the first three months.

Ex Officio Procedures under Art 57 GDPR

Section 115 of the Data Protection Act 2018 confers upon the Commissioner the tasks listed under Article 57 GDPR. However, the Act does not further elaborate on the scope of these tasks. The lists of tasks conferred upon the Commissioner include:

  • Monitoring and enforcing the application of the GDPR (including the handling of complaints)
  • Promoting public awareness and understanding of the risks, rules, safeguards and rights, in relation to processing
  • Providing information to data subjects about the exercise of their rights under the GDPR upon request
  • Cooperating with other Supervisory Authorities to ensure the consistent application of the GDPR
  • Keeping records of infringements of the GDPR and their corrective measures

Therefore the ICO can investigate, audit, advise, and so forth, when it comes to breaches of obligations under the GDPR. This grants the ICO wider powers than it previously had under the Data Protection Act of 1998.

The Data Protection Act 2018 subjects the powers of the ICO (which are listed in Article 58 GDPR) to certain safeguards, which are listed in Section 115(5)-(9) of the Act. For instance, Section 115(9) requires that the ICO issue a penalty notice where they want to impose an administrative fine.

Appeals

Section 166 of Part 6 of the Data Protection Act 2018 reflects a data subject's right to advance a complaint before a Tribunal if the ICO fails to take appropriate steps to respond to the complaint, fails to provide information within three months, or fails to provide the data subject with consideration of the complaint within three months. A Tribunal may order the ICO to take appropriate steps to respond to the complainant, or to inform the complainant of progress or the outcome of a complaint.

According to Section 162 of Part 6 of the Data Protection Act 2018 a party can appeal to the Tribunal for: a) an information notice, b) an assessment notice, c) an enforcement notice, d) a penalty notice and a e) penalty variation notice imposed.

Section 205 specifies that this "Tribunal" will, in most cases, be the First Tier Tribunal (Information Rights). If an appeal raises particularly complex or important issues, it may be transferred to the Upper Tribunal (Administrative Appeals) Chamber. The Upper Tribunal also hears appeals against decisions of the First Tier Tribunal (Information Rights). Appeals against decisions of the Upper Tribunal are heard in the Court of Appeal.

Practical Information

Filing a complaint

The ICO provides various standards forms, depending on the subject matter of your complaint:

  • The standard form for a complaint is called a "Personal Information Concern" on this ICO website. Such a concern relates to "Accessing your personal information" or "Other concerns" (e.g. handling of personal data, wrong information, loss of information etc) is available here.
  • The standard forms for "Nuisance calls and messages" is available on the ICO website. There, you will be able to select which type of complaint you are making.
  • The standard form for "Concerns about cookies" is available here.
  • The standard form for "Internet search results" enables you to exercise your right to be forgotten. It is available here. You will have to first contact the search provider with this request and wait for their final and full decision before making a complaint.

Once a complaint has been received, the ICO proceeds by gathering facts and collating similar concerns against the organisation. The ICO will take action against the organisation where there is a clear and serious breach of the law applicable.

Known problems:

Please be aware that for "Personal Information Concerns", the ICO standard form will require you to contact the organisation responsible in writing and wait a period of 1 month (if you have no response) before filling a complaint. There seems to be no legal basis for this requirement in the GDPR.

It is unclear what the status of the GDPR will be during the UK's transition period out of the EU (in the context of Brexit). This is clear from Title VII (Articles 70-74) of the Agreement on the Withdrawal of the UK from the EU. It also remains to be see if the UK will be granted an 'adequacy' decision, attesting that it has a level of protection for personal data essentially equivalent to that in the EU.

Filing an appeal

As mentioned above, Section 162 of Part 6 of the Data Protection Act 2018 grants the data subject the right to appeal to a Tribunal if they have been given a notice. A data subject should lodge a complaint at the First Tier Tribunal (Information Rights) within 28 calendar days of receiving the notice.

To file an appeal before the First-tier Tribunal (General Regulatory Chamber), you must fill in a form and send it by email or post. A detailed guidance on how to complete the form and where to send it is available here.

Filing a lawsuit

Paragraph 167 of Part 6 of the Data Protection Act 2018 gives the data subject the right to claim a remedy in court. Although the GDPR gives the data subject a right to claim compensation from an organization if they have suffered damage as a result of it breaking data protection law, ICO cannot award compensation. Therefore, data subjects will have to go before a court to claim compensation. Typically, this claim will first take place before the Small Claims Court.

ePrivacy Directive

The ICO is also competent to enforce the Privacy and Electronic Communications (EC Directive) Regulations 2003, which is the Statutory Instrument that implemented the ePrivacy Directive 2002/58/EC. The Privacy and Electronic Communications Regulations (PECR in short) operates alongside the Data Protection Act 2018 and the GDPR, and gives people specific privacy rights in relation to electronic communications. In particular, it regulates marketing calls, emails and texts, cookies, customer privacy as regards traffic and location data, and helps to keep communications services secure. The powers granted to the ICO to enforce the PECR include the provision of monetary penalties, criminal prosecution, non-criminal enforcement and audit.

Statistics

Funding

The ICO is the best-funded DPA in Europe with a total budget of €61m in 2019, according to a Brave study.[1]

Personal

The ICO had 680 staff in 2019, far outnumbering all other DPAs in Europe.[2]

Caseload

In the year 2019/2020, the ICO received 38,514 data protection complaints. Although the ICO closed a record-number of record 39,860 cases in 2019/2020, they have stated that they were not able to meet their target of resolving 80% of cases within 12 weeks, resolving only 74% instead.

  • Number of data protection complaints received in 2019/2020: 38,514
  • Number of data protection complaints received in 2018/2019: 41,661
  • Number of data protection complaints closed in 2019/2020: 39,860
  • Number of data protection complaints closed in 2018/2019: 34,684
  • Number of Freedom of Information complaints received in 2019/2020: 6,367
  • Number of Freedom of Information complaints received in 2018/2019: 6,418
  • Number of personal data breaches complaints closed in 2019/2020: 12,789
  • Percentage of cases concerning personal data breaches in which the ICO decided no action was needed: 95%

Fines

To date (November 2020), the largest fine issued by the ICO was a fine of £20 million against British Airways for failing to protect the personal and financial details of more than 400,000 customers. Other notable GDPR fines include its £18.4 million fine against Marriott International and £1.25 million fine against Ticketmaster UK Limited.

Annual Report

The ICO publishes an Annual Report. For the 2019 report, see ICO Annual Report 2019/2020.

EU/EEA/UK Data Protection Authorities
Austria · Belgium · Bulgaria · Croatia · Cyprus · Czech Republic · Denmark · Estonia · Finland (Åland) · France · Germany (Baden-Württemberg · Bavaria, private sector · Bavaria, public sector · Berlin · Brandenburg · Bremen · Hamburg · Hesse · Lower Saxony · Mecklenburg-Vorpommern · North Rhine-Westphalia · Rhineland-Palatinate · Saarland · Saxony · Saxony-Anhalt · Schleswig-Holstein · Thuringia ) · Greece · Hungary · Ireland · Italy · Latvia · Lithuania · Luxembourg · Malta · Netherlands · Poland · Portugal · Romania · Slovakia · Slovenia · Spain (Basque Country · Catalonia · AndalusiaSweden
Iceland · Liechtenstein · Norway · United Kingdom EDPS · EDPB
  1. Brave Study "Europe’s governments are failing the GDPR", Page 6 - https://brave.com/wp-content/uploads/2020/04/Brave-2020-DPA-Report.pdf
  2. Brave Study "Europe’s governments are failing the GDPR", Page 4 - https://brave.com/wp-content/uploads/2020/04/Brave-2020-DPA-Report.pdf