Focussed enforcement action

The UK Information Commissioner’s Office (ICO) recently published its new policy on regulatory and enforcement action. The ICO says the aim of the policy is to send a clear and consistent signal to those who are required to comply, “to the public whom the law protects and empowers, and the staff who act on the ICO’s behalf”. The ICO has adopted a “carrot and stick” approach which it describes as adopting “a targeted, risk-driven approach to regulatory action – not using its legal powers lightly or routinely, but taking a tough and purposeful approach on those occasions where it is necessary”.

Interestingly, according to its website, the ICO has only issued a total of 46 fines (in respect of 44 incidents) to date, the latest being a fine of £100,000 to Aberdeen City Council. Of these 46 fines, more than half of these have been issued to government or local authority bodies, the rest of the fines have mostly been issued to health bodies and a small number to private companies. A trend can clearly be seen from these statistics – which may be as a result of to the lack of resource suffered by the ICO – is that it has had to focus its attention on certain “high risk” sectors. The ICO has stated in the Policy that certain areas will be given “priority” by the ICO for regulatory action, these being: health, criminal justice, local government and online and mobile devices. This therefore goes a long way to confirm our suspicions.  

What drives enforcement action?

The new policy also details the decision making process which will be undertaken by the ICO, the transparency of the ICO, the principles that apply to the ICO when taking regulatory action and some further detail on when audits are necessary. The most noteworthy of the detail that is included in the policy is hidden away at the very end of the policy, where it provides examples of the types of conduct which are unlikely to lead to the ICO using its formal regulatory powers. Of course the examples are intended to be illustrative rather than binding, but it does provide a clear insight into the types of non-compliance/breaches of data protection laws which the ICO are not concerned about (or do not have time for). The examples provided are:

  • Non-compliance with the data protection principles, but where the Data Controller has taken necessary steps in the circumstances to prevent a breach.
  • Single non-criminal breaches by small businesses caused by ignorance of requirements.
  • Non-criminal, non-compliance which is not particularly intrusive and has not caused significant detriment.
  • Breaches arising from commercial disputes which are minor in nature, for example those which can be resolved by other means such a private civil action.

We wonder however whether the ICO’s approach to its enforcement direction will remain the same once the new EU Regulation on Data Protection comes into force. The draft Regulation currently makes provision for a significant increase in the size of fines that can be issued by the regulator – up to 2% of an organisation’s worldwide turnover under the new Regulation (compare this against the current maximum limit of £500,000). This jump in the fining power may strengthen the argument for better funding for the ICO in the future.