The Information Commissioner’s Office (ICO) published a draft regulatory action policy in December 2021, accompanied by draft statutory guidance on which they have asked for feedback by 24th March 2022. Whilst the guidance has been published as a consultation document, it is unlikely that the finished product will be markedly different than the draft regulatory action policy.
The guidance gives good insight into the strategy for regulatory action. Divided into two parts, Part A focuses on the ICO’s role and explains in detail how they promote best practice, how they ensure compliance and how they approach their regulatory responsibilities. Part B focuses on the legislation that the ICO is responsible for and the regulatory action applicable to each of the different legislation.
The guidance also explains in detail the ICO’s regulatory responsibilities, the types of action they use, and the certain steps which are followed when considering whether to take regulatory action.
The ICO’s approach to its regulatory responsibilities
The stated aim is to protect the public’s information rights whilst supporting innovation and enterprise. The ICO emphasises that enforcement action is a last resort and is only used in the most serious circumstances. Instead, emphasis is placed on efforts to help organisations comply with the law. In order to facilitate this compliance, the ICO provides a suite of guidance and recommendations which covers most of the important data protection topics. Organisations are expected to read, absorb and reflect the guidance in their data protection policies and procedures. Failure to take note of ICO guidance and recommendations may be considered an aggravating factor.
Aside from encouraging compliance, the ICO attempts to raise awareness and promote information rights by publishing opinions via the website, regular newsletters and webinars, as well as maintaining a presence on social media. The office also helps organisations to test new and innovative data protection concepts and investigates key areas of public concern.
Prioritisation
The ICO works to a ‘prioritisation framework’ to encourage efficient resource allocation, by assessing the likely outcome of actions balanced with strategic priorities. Considerations include the likelihood of success and the legal, financial and reputational aspects of the action and the amount of resources which may be involved.
The following risk assessment tools are used:
- Complaints received;
- Audit findings;
- Outcomes of previous investigations;
- Policy work;
- Breach reports;
- Intelligence;
- Their work with other regulators; and
- Consumer research; for example the annual track survey of UK residents and wider national and international engagement with the public and stakeholders.
Factors considered in investigations
When presented with an investigation, a number of aggravating and mitigating factors will be considered which will impact any applicable monetary penalty imposed on the organisation.
Aggravating factors include:
- The conduct of the organisation suggests an intentional, wilful or negligent approach to compliance;
- Operating an unlawful business model;
- The breach is serious – critical national infrastructure or service for example systems that provide essential public services;
- A high degree of damage to the public which may include distress or embarrassment.
- A breach that resulted in a low degree of harm but affected many people;
- The person or organisation significantly or repeatedly failed to follow the good practice set out in the codes of practice we are required to promote;
- The person or organisation did not follow relevant advice, warnings, consultation feedback, conditions or guidance from us or the data protection officer;
- The person or organisation failed to comply with an information notice, an assessment notice or an enforcement notice;
- The breach concerns novel or invasive technology;
- The organisation failed to follow an approved or statutory code of conduct;
- The person or organisation’s prior regulatory history, including the pattern, number and type of complaints about the issue and whether the issue raises new or repeated concerns that technological security measures are not protecting the personal data; and
- The state and nature of any protective or preventative measures and technology available, including by design.
Mitigating factors are as follows:
- The organisation reported the breach early and disclosed the circumstances;
- Action was taken by the organisation to mitigate the breach and minimise any damage that individuals may have suffered;
- The organisation follows an approved or statutory code of practice;
- The nature of any protective or preventative measures; and
- The organisation fully co-operated with the ICO.
Other factors which may be considered include:
- The costs of measures to mitigate risk, issues or harm;
- The gravity and duration of the breach;
- If the organisation is representative of a sector where similar issues may be occurring;
- Any action by the organisation to report the breach to other appropriate bodies;
- The public interest in taking action; and
- Whether another regulator, law enforcement body or competent authority is already taking (or has taken) action.
It is not surprising that failing to follow ICO guidance is an aggravating factor, as is failing to follow consultations, failing to co-operate fully, and failing to follow the advice from an organisation’s data protection officer. Trying to hide a data breach is a risky strategy for any organisation. Should the breach be serious and later come to the notice of the ICO, the severity of any regulatory action will be increased.
What action may the ICO take?
The office has various powers at its disposal when investigating breaches of the UK GDPR and the DPA 2018. Organisations should be aware of the following potential actions:
- An information notice order may be served, requiring the organisation to provide information in relation to the investigation.
- The ICO may carry out investigations or data protection audits to help them understand how organisations use and store data by serving an assessment notice (under section 146 DPA 2018).
- Access to an organisation’s premises may be demanded.
- Warnings may be given in relation to processing activities where such activity is deemed to be a likely breach of data protection legislation.
- An enforcement notice may order an organisation to comply with an individual’s request to exercise their rights in accordance with the UK GDPR or DPA 2018 or to order an organisation to change the way they handle personal information or to tell an individual about a personal data breach. Alternatively, an enforcement notice may require an organisation to correct inaccurate personal information, erase personal data, restrict the way they process data, or to suspend data flows to a recipient in a third country or to an international organisation.
- Financial penalties may be imposed (S155 DPA 2018).
The ICO may also:
- Give advice to an organisation, Parliament or National Assembly;
- Approve draft codes of conduct (Article 40(5) UK GDPR);
- Issue certifications and approve criteria of certification and accredit certification bodies (Articles 42(5) and 43 UK GDPR;
- Adopt standard data protection clauses (Article 28(8) Article 46(2) UK GDPR;
- Authorise contractual clauses and administrative arrangements and approve binding corporate rules (Articles 46(3) and 47 UK GDPR; and
- Bring cases to court if an offence under DPA 2018 has been committed by an individual or an organisation.
Conclusion
Historically, the ICO has shown a preference to negotiate compliance rather than take enforcement action. Whilst the draft regulatory action policy makes it very clear that the ICO will use its considerable powers should the need arise, following the consultation they are unlikely to alter the manner in which the ICO investigates data breaches. Organisations should maintain ongoing awareness of current guidance and recommendations, and be prepared to take measures to ensure compliance with data protection legislation.