On October 1, 2020, the UK Information Commissioner’s Office (“ICO”) launched a public consultation on its draft Statutory Guidance (the “Guidance”). The Guidance provides an overview of the ICO’s powers and how it intends to regulate and enforce data protection legislation in the UK, including its approach to calculating fines.
The Guidance is required by the UK Data Protection Act 2018, and applies only to regulatory action taken under that Act, while the rest of the ICO’s activities are governed by their Regulatory Action Policy, which is currently under review. The UK Information Commissioner, Elizabeth Denham, stated that the Guidance “sets out our proportionate approach to regulatory action, yet details the robust action we will take against those that flout the law.” The ICO will use responses to the consultation to understand the areas where further clarity is required regarding information notices, assessment notices, enforcement notices and penalty notices.
The Guidance provides details regarding when each of these tools will be used and the factors the ICO will consider when using them. For example, the Guidance states that while information notices may be served at the ICO’s discretion, it will consider the proportionality of serving one taking into account the public interest in the response and the risk of harm to individuals posed by the processing under investigation, among other factors. The Guidance also describes the type of information and documentation the ICO may require access to under an assessment notice, including an organization’s strategies, codes of practice, training materials, contracts and job descriptions. The Guidance also states that the ICO may require access to information that is subject to legal professional privilege (where this information does not relate to data protection law) and information with a high level of commercial sensitivity.
With regards to enforcement notices, the Guidance states that their use will usually be appropriate where there has been repeated failure to meet information rights obligations or timescales for them, such as repeated delays in responding to subject access requests, serious ongoing infringements to the rights and freedoms of individuals, failure of an international transfer to meet the requirements under data protection law, or need for corrective action by a certification or monitoring body to ensure that obligations are met.
A penalty notice is the most serious action that the ICO may take. The Guidance sets out the ICO’s risk-based approach and the higher likelihood that a fine will be imposed where, for example, special-category data is involved, many individuals are affected, and the organization is highly culpable for the breach, among other factors. The Guidance also provides a matrix that the ICO will use to calculate the starting point for fines, which assesses both the seriousness of the infringement and the degree of culpability of the organization.
The consultation will close at 5pm on November 12, 2020. Respondents are asked to provide feedback on whether the Guidance is clear and easy to understand, useful and whether anything is missing.