 | |
| Established | 1984; 41 years ago (1984) |
|---|---|
| Type | non-departmental public body |
| Focus | data protection andfreedom of information |
| Headquarters | Wycliffe House |
| Location | |
| Origins | Data Protection Act 1984 |
Region served | United Kingdom |
Information Commissioner | John Edwards |
Parent organisation | Department for Science, Innovation and Technology |
| Revenue | £57,980,542 (2020/2021) |
| Expenses | £57,041,005 (2020/2021) |
| Staff | 500+ |
| Website | ico |
Formerly called | Data Protection Registrar |
TheInformation Commissioner's Office (ICO) is anon-departmental public body which reports directly to theParliament of the United Kingdom and is sponsored by theDepartment for Science, Innovation and Technology.[1] It is the independent regulatory office (national data protection authority) dealing with theData Protection Act 2018 and theGeneral Data Protection Regulation, thePrivacy and Electronic Communications (EC Directive) Regulations 2003 across the UK; and theFreedom of Information Act 2000 and theEnvironmental Information Regulations 2004 in England, Wales and Northern Ireland and, to a limited extent, in Scotland. When they audit an organisation they use Symbiant's audit software.[2]
The Information Commissioner is an independent official appointed bythe Crown. The Commissioner's decisions are subject to appeal to an independenttribunal and thecourts. The Commissioner's mission is to "uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals".[3]
The role of Information Commissioner is currently held byJohn Edwards, who succeededElizabeth Denham on 3 January 2022.[4]
On 26 August 2021, John Edwards was named as the new Information Commissioner, replacing Elizabeth Denham. The UK government said he would "go beyond the regulator's traditional role" and that the job would now be "balanced" between protecting rights and promoting "innovation and economic growth". It also said that protection for privacy should be done "in as light a touch way as possible", that it would prioritise allowing personal data to be sent internationally to places such as the United States, Korea, Singapore, Dubai and Colombia, among others, that it wanted a data policy that delivered a "Brexit dividend" for businesses (cf. individuals alone) and that it wanted to get rid of "endless" cookie popups.[5] Promoting economic growth is not one of the ICO's functions recognised at law and as such this new role creates the potential for conflict with its statutory functions, set out for example in section 115 of the Data Protection Act 2018 and the UK GDPR,[6] and/or the risk that it may potentially take actions which areultra vires. Since promoting economic growth has not previously been one of its roles (it was announced on 26 August 2021 that it is something that the job would "now" involve and it is not set out in statute),[5] then logically, promoting economic growth is to come at the expense of the protection of rights, since that protection has not previously been balanced with it. As of 26 August 2021[update], the ICO's website states that it is "The UK's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals".[7]
Since Elizabeth Denham was appointed Britain's Information Commissioner in 2016, the ICO has undertaken high-profile investigations into Equifax, Yahoo, Talk Talk, Uber, and Facebook; issuing the maximum fine under the Data Protection Act 1998 of £500,000 to Facebook,[8] for breaches of data protection law. Denham has also overseen the conclusion of the ICO's investigation into charities' fundraising activities and a series of fines for companies behind nuisance marketing.[9]
Elizabeth Denham welcomed the introduction of the General Data Protection Regulation (GDPR)[10] that came into effect in May 2018, as well as the Data Protection Act 2018.[11]
In October 2018 she was elected chair of the International Conference of Data Protection and Privacy Commissioners (ICDPPC), the leading global forum of data protection and privacy authorities, encompassing more than 120 members across all continents that works throughout the year on global data protection policy issues.
During his time as Information Commissioner, Christopher Graham was noted for gaining new powers to issue monetary penalties to those who breach the Data Protection Act 1998. He has also welcomed new powers to issue monetary penalties under the Privacy and Electronic Communications Regulations, as well as raising concerns over harm and distress caused by nuisance call to the public.[12] Christopher Graham succeededRichard Thomas in 2009.
During Richard Thomas' tenure as Commissioner, the ICO was particularly noted for raising serious concerns over the Government's proposedBritish national identity card and database, as well as other similar databases such as theCitizen Information Project,Universal Child Database, and theNHS National Programme for IT, stating that the country is in danger of sleepwalking into asurveillance society,[13] drawing attention to the misuse of such information by the former states of theEastern bloc andFrancisco Franco'sSpain.
The Data Protection Act 2018[11] receivedroyal assent on 23 May 2018. It updates data protection laws in the UK, supplementing the General Data Protection Regulation (GDPR), implementing the EU law enforcement directive, and extending data protection laws to areas not covered by the GDPR. The new Act aims to modernise data protection laws to ensure they are effective in the years to come.
The data protection charge on UK data controllers to support the Act is under the Data Protection (Charges and Information) Regulations 2018. Exemptions from the charge were left broadly the same as for the previous Act: largely some businesses and non-profits internal core purposes (staff or members, marketing and accounting), household affairs, some public purposes, and non-automated processing.[14][15]Theregister of fee payers, which excludes those data controllers that are exempt from paying a fee, is publicly available and searchable at the website of the ICO,[16] which also gives links to the ICO's counterparts aroundEurope.
The United Kingdom as a member of theEuropean Union was, and as a former member still is, subject to a strict regime ofdata protection. TheData Protection Act 1984 created the post then namedData Protection Registrar with whom people processing personal data had to register the fact of their processing of that data on the register of data controllers. Under the provisions ofEC Directive 95/46 (introduced in the UK as theData Protection Act 1998, rather than as anSI under theEuropean Communities Act 1972), the name of the post was changed toData Protection Commissioner and later toInformation Commissioner.
TheGeneral Data Protection Regulation (GDPR) is a new, Europe-wide law that replaces the Data Protection Act 1998 in the UK. The GDPR came into force on 25 May 2018 and sets out requirements for how organisations need to handle personal data. It forms part of the data protection regime in the UK, together with the new Data Protection Act 2018 (DPA 2018). Followingthe UK's departure from the EU on 31 January 2020, the GDPR continues to be part of British domestic law by virtue of section 3 of theEuropean Union (Withdrawal) Act 2018.
In 2005 the Commissioner's role was expanded to include enforcement of theFreedom of Information Act 2000 andEnvironmental Information Regulations 2004 and the name of the position was changed from Data Protection Commissioner to Information Commissioner ('IC'). Enforcement of theFreedom of Information (Scotland) Act 2002, which applies todevolved public authorities in Scotland, is the responsibility of theScottish Information Commissioner, a separate public official, as the British Act does not apply to these authorities.
The ICO issues guidance on Freedom of Information legislation, which is being updated in accordance with its strategic plan 2019/20 - 2021/22,Openness by Design.[17]
In November 2011 the ICO was given the powers to impose monetary penalties of up to £500,000 for breaches of thePrivacy and Electronic Communications Regulations (PECR). PECR applies to organisations that wish to send marketing messages through electronic means i.e. phone, fax, email, text; use cookies or provide electronic communication services to the general public. As with the GDPR, these regulations continue to apply following Brexit.
In March 2013, commenting on a fine of £90,000 imposed onCumbernauld fitted kitchen company DM Design for nuisance marketing calls, the Information Commissioner said that "this fine will not be an isolated penalty. We know other companies are showing a similar disregard for the law and we've every intention of taking further enforcement action against companies that continue to bombard people with unlawful marketing texts and calls." In 2014, the Government changed the law to "lower the legal threshold for consumer harm".[18] This made it easier for the ICO to "take enforcement action against more organisations breaching thePrivacy and Electronic Communications Regulations (PECR)".[19]
In October 2018 the ICO fined two companies a total of £250,000 that made nearly 1.73 million direct marketing phone calls to people registered with the Telephone Preference Service (TPS).[20] In December 2018, the Commissioner welcomed the new law that means the ICO can now hold company bosses directly responsible and has the power to fine them personally for breaches of thePrivacy and Electronic Communications Regulations (PECR).
The Information Commissioner is also responsible for appeals made under theEnvironmental Information Regulations 2004.
Prior to 2010 the enforcement powers were limited to issuing enforcement notices and to pursuing those alleged to have broken the Data Protection Act 1998 through the courts. In 2010 The Information Commissioner was granted the power to issue fines, known as monetary penalties, by its own authority, granted in April 2010. The first such were served on 24 November 2010.[21] From 2010, the ICO were also given the powers to serve Assessment Notices, which can be issued to organisations who are unwilling to work alongside the ICO and are at risk of breaking the principles of the Data Protection Act 1998. During theLeveson Inquiry in 2012 it came to light that the ICO had felt unable to challenge the press related to allegations of breaches due to the power of the press and perceived weakness of its own powers.[22]
From 25 May 2018 the ICO were granted new enforcement powers under the new data protection laws, including the ability to fine organisations €20 million (or equivalent in sterling) or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher, for breaching data protection laws.[23]
In 2002, under 'Operation Motorman', the ICO underRichard Thomas raided various newspaper and private investigators' offices, looking for details of personal information kept on unregistered computer databases. The operation uncovered numerous invoices addressed to newspapers and magazines, which detailed prices for providing the journalists with personal information, with 305 journalists being identified as having been the recipients of a wide range of information.[24]
In 2006, a request under theFreedom of Information Act led to the publication of a report to theBritish Parliament called "What Price Privacy Now?".[25] The newspaper with the highest number of requests was theDaily Mail with 952 transactions by 58 journalists; theNews of the World came fifth in the table, with 182 transactions from 19 journalists.[24] TheDaily Mail immediately issued a press release, in which it rejected the accusations within the report. EditorPaul Dacre said thatAssociated Newspapers only used private investigators to confirm public information, such as dates of birth.[24]
In a July 2011 appearance in front of a parliamentary committee, a day after formerNews International CEORebekah Brooks had been arrested and bailed in light of theNews International phone hacking scandal, Dacre told them that he had never "countenanced" phone hacking or blagging at his newspaper, as both acts were clearly "criminal".[26]
On 23 February 2009, theDroitwich office of theConsulting Association (TCA) was raided by the ICO, which served an enforcement notice against TCA under the terms of the Data Protection Act. The ICO action followed a 28 June 2008 article about allegedblacklisting in the construction industry, by journalist Phil Chamberlain, published inThe Guardian.[27]
In 2013, the Information Commissioner's Office fined Sony Computer Entertainment Europe Ltd. £250,000, when many PlayStation systems were hacked and the names, addresses, phone numbers and card details of users were stolen. The ICO found that Sony had excessive information about their users and inadequate security systems in place.[28]
May 2018 saw the increased scrutiny of bothFacebook andAmazon with regards to reports of the use of biometric personal data without the consent of the subjects.[29]
On 23 March 2018, the ICO searched theLondon headquarters ofCambridge Analytica amid reports that the firm harvested the personal data of millions ofFacebook users as part of a campaign to influence the U.S. 2016 presidential elections.[30]
In October 2018 the ICO issued a fine of £500,000, the maximum allowable under the laws which applied at the time the incidents occurred, to Facebook, for breaches of data protection law. The ICO's investigation found that between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers (specifically,Aleksandr Kogan and his company GSR as clients of SCL Ltd and Cambridge Analytica) access to their information without sufficiently clear and informed consent, and allowing access even if users had not downloaded the app, but were simply 'friends' with people who had.[8]
In November 2018 the ICO finedUber £385,000 for failing to protect customers' personal information during a cyber-attack. A series of avoidable data security flaws allowed the personal details of around 2.7 million British customers to be accessed and downloaded by attackers from a cloud-based storage system operated by Uber's US parent company.[31]
In September 2018, the ICO issued Equifax Ltd with a £500,000 fine for failing to protect the personal information of up to 15 million British citizens during a cyber-attack in 2017. The incident, which happened between 13 May and 30 July 2017 in the US, affected 146 million customers globally.[32]
In February 2019, the ICO launched an investigation of the video-sharing platform and mobile applicationTikTok, following the fine its parent companyByteDance received from the United States'Federal Trade Commission, for collecting information from minors under the age of 13 in violation of the country'sChildren's Online Privacy Protection Act. Speaking to a parliamentary committee, Information Commissioner Elizabeth Denham said that the investigation focuses on the same issue of private data collection, as well as the kind of videos collected and shared by children online, as well as the platform's open messaging system which allows any adult to message any child. She noted that the company was potentially violating provisions in the GDPR which "requires the company to provide different services and different protections for children".[33]
In October 2022,Interserve was fined £4.4 million for a breach of data protection law in May 2020 which enabled hackers to access data on up to 113,000 Interserve employees. While a phishing email had been detected, the ICO said Interserve "failed to thoroughly investigate the suspicious activity". As a result, the attacker compromised 283 systems and 16 accounts, uninstalled the company's anti-virus solution, and encrypted the personal data of current and former employees. Interserve disputed that its staff and its response had been complacent. It said it had also sought to reduce risks in systems supporting ongoing operations at Tilbury Douglas and in Mitie Group.[34] The fine was the fourth-largest ever demanded by the ICO.[35]
| Information Commissioner | |
|---|---|
 | |
| Information Commissioner's Office | |
| Type | Corporation sole |
| Reports to | Parliament of the United Kingdom |
| Appointer | Queen Elizabeth II byletters patent |
| Term length | up to 7 years non-renewable |
| Constituting instrument | Data Protection Act 2018 |
| Precursor | Data Protection Registrar |
| Formation | 1984 (1984) |
| First holder | Eric Howe |
| Salary | £200,000 per year |
| Website | www |
The role of the IC is mirrored throughout the countries of theEuropean Union andEuropean Economic Area who haveequivalent officials created under their versions ofDirective 95/46.
The Information Commissioner's Office is the UK's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals
[The Information Commissioner's Office is] the UK's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals
lower the legal threshold for consumer harm
take enforcement action against more organisations breaching thePrivacy and Electronic Communications (EC Directive) Regulations 2003
The commissioner said the fines – the first he has issued – would "send a strong message" to those handling data.
Her MajestyThe Queen has approved the appointment of Elizabeth Denham as the UK's Information Commissioner.
| International | |
|---|---|
| National | |
