ICO to focus on most serious data protection offenders

The Information Commissioner's Office (ICO) wants to focus on organisations that get data protection wrong repeatedly and take action against those who commit serious breaches of the data protection legislation, under proposals in a consultation launched in December (Consultation: Our new approach to data protection concerns). The consultation closes this Friday 31 January and the proposals will come into force in April. The DMA will be submitting a response to the consultation.

The ICO's new approach

1. Individual to speak to the organisation not the ICO
Individuals should raise their concerns about an organisation's data protection policies and procedures with the organisation in question, in the first instance. The organisation should provide the individual with a clear and open response to their concerns. The ICO will provide individuals and organisations with tools and guidance to help them do this. If the individual does not receive a satisfactory response they can take their complaint to the ICO.

2. ICO to keep record of complaints received
The ICO will retain a record of the individual’s concern complete with the organisation’s response and decide if there is an opportunity for that organisation to improve their data protection policies and procedures. The ICO will improve its systems for capturing and analysing this information, which will enable it to determine whether the concern is one-off or is evidence of poor data protection policies and procedures. If there is evidence of poor practice then the ICO may take further action. The ICO will also use this information to plan and coordinate its activity either on its own of through joint activity with other regulators such as the Financial Conduct Authority, Trading Standards and trade bodies.

3. Further action by the ICO
Depending on the response provided by the organisation, the ICO may take any further action. For instance, the ICO may offer advice to both parties and ask the organisation to take ownership of the complaint, or contact the organisation to explain why they need to improve their data protection policies and procedures. It could in serious cases include taking formal enforcement action such as an assessment of an organisation's data protection policies and procedures or asking the organisation to commit to an undertaking which the ICO will publish on its website.

4. Publication of reports
The ICO will publish regular reports highlighting improvements made to organisations data protection policies and procedures and enforcement action taken.

5. Contact with organisations
The ICO will have regular contact with the organisations that the public raises the most concerns about.

Why the ICO is changing its policies

1. The ICO wants to focus on organisations that get data protection wrong repeatedly and take action against those who commit serious breaches of the data protection legislation.

2. The ICO wants to become more effective and efficient at using concerns raised with it to improve the data protection policies and procedures and to tackle systemic problems. Currently the ICO is drawn into adjudicating on individual disputes between organisations and their customers or clients, particularly where data protection may only be a peripheral part of the matter being disputed. In only 35% of the complaints the ICO dealt with in 2012/13 did it assess that it was likely the legislation had been contravened.

3. The ICO wants to support individuals and organisations to resolve their data protection disputes to avoid unnecessary concerns being raised with it and make it easier for the ICO to identify opportunities for it to improve organisation’s data protection policies and procedures.

If members have any comments which they would like included in the DMA response then please send them to James Milligan by Thursday 30 January. The DMA will update members with the ICO’s response to the consultation.

James Milligan, Solicitor, DMA