Richard Nelson LLP’s team of experienced data protection solicitors are skilled in representing clients who are involved in an ICO prosecution. The ICO’s powers are extensive and an investigation could take a number of different forms. We will be able to provide advice no matter what stage of the ICO prosecution process you’re in.
Role and responsibilities of the ICO
Data protection legislation creates the role of the Information Commissioner and her department known as the Information Commissioners Office (ICO). This is an independent regulatory body responsible for overseeing Data Controllers and protecting Data Subjects. Its main functions is to encourage compliance and good practice when it comes to handling personal data. It has both the power to investigate any breaches of the law and the power to take a range of regulatory actions against those individuals and organisations responsible for a breach.
What is the ICO concerned with?
An organisation which holds or manages personal information about others is known as a Data Controller. It is required in law to manage and protect that information to ensure that it is not unlawfully disclosed so as to protect those whose information is being handled or managed (the Data Subject).
The current legislation which needs to be complied with in order to protect personal data is The Data Protection Act 1998 (DPA1998). This provides the rules for data protection and the current sanctions for those who breach them. These laws on data protection are currently being reviewed in line with a European Regulation known as the General Data Protection Regulations (GDPR) which will replace the DPA1998 with the Data Protection Act 2018 (DPA2018). This will introduce tougher rules for Data Controllers, strengtheng the rights of Data Subjects and create more stringent requirements to be followed in the event of a breach of personal data, along with tougher penalties which can be imposed.
The ICO’s regulatory powers
The ICO undertakes a range or regulatory actions in the event of a breach of personal data. These actions are always taken with the aim to encourage and enforce good practice for including the use of targeted, proportionate and effective regulatory action will also contribute to the promotion of good practice.
The ICO has available to it a full range of actions which it can take to ensure compliance with data protection laws. These are:
- A formal undertaking
- Negotiated resolution
- Audit (compulsory)
- Audit (consensual)
- Enforcement Order
- S150 Order to a credit reference agency
- Enforcement notice
- Monetary penalty notice
- Criminal prosecution
In addition, the ICO has a number of powers that enable it to carry out its regulatory actions. These are:
- Information notice – a notice served on an organisation or individual requiring the provision of the material to the ICO for the purpose of assessing whether data protection laws have been complied with.
- Assessment notice – a notice served on government departments, public authorities and other designated organisations to ensure that data protection laws and principles are being complied with.
- Search warrants – these grant the ICO the power to enter a premises, inspect and seize material where there are reasonable grounds for suspecting a data protection offence has taken place.
The Regulatory powers allow for the ICO to fine up to a maximum of £500,000. Although such a level of fine is rare and preserved for large data breaches by large organisations, the same principles apply to any data breach and so it is vital that anybody facing regulatory action by the ICO receives expert legal advice from the outset. Richard Nelson LLP has experienced lawyers who can assist you. If you require assistance of this nature, please contact us today.
Get in touch
For more information about the services we can provide and about how we can help you and your business, contact us.
What we do...
Our experienced data protections solicitors can advise you with any aspect of an ICO prosecution.
We can help if you’re facing:
An ICO audit
Civil monetary penalties