United Kingdom
United Kingdom
Abstract Shape Background
United Kingdom

United Kingdom

United Kingdom

Senior management and organisation

Please identify the authority’s senior management.

Information commissioner: Elizabeth Denham

Deputy chief executive: Paul Arnold

Deputy commissioner (Operations): James Dipple-Johnstone

Deputy commissioner (Policy): Steve Wood

Executive director – technology policy: Simon McDougall

When was the head of the authority appointed?

July 2016

How long is their term of office?

The information commissioner is currently appointed for a term not exceeding seven years and may not be appointed for a further term.

What is the process for nominating the head of the authority?

The information commissioner is an independent official appointed by the Crown. The commissioner's decisions are subject to appeal to an independent tribunal and the courts. The commissioner's mission is to “uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals”.

What was the authority’s budget for the most recently-available financial year?

In 2018/2019, the budget was £38 million.      

How many data protection/privacy-focused staff does the authority employ?

There are currently more than 200 case officers working on issues raised by the public, a 60-strong enforcement department taking forward our investigations and a similar number charged with developing our information rights policies and guidance.

Contacting the authority

How and where should companies or their advisers contact the authority to notify a data breach?    

Companies or their advisers can report a breach at https://ico.org.uk/for-organisations/report-a-breach/, or make a complaint at https://ico.org.uk/make-a-complaint/.

How and where should companies or their advisers contact the authority to start the binding corporate rules approval process?  

To contact the ICO about BCR applications please email [email protected].

What other contact information should companies and their advisers be aware of?

The ICO’s website has a range of resources for companies and advisers; see https://www.ico.org.uk. People can also call the ICO helpline for advice on + 44 303 123 1113.

Legal and enforcement framework

Can you search premises or force the disclosure of information without having to approach the courts?

The ICO has powers that can be used in connection with regulatory action, including the following:

  • Search warrant: powers of entry, inspection and seizure may be granted, on application to a judge, where there are reasonable grounds for suspecting an offence under the Act has been committed, or the data protection principles or the the Privacy and Electronic Communications Regulations (PECR) have been contravened (section 50 and schedule 9 of the Act and regulation 31 of the PECR).
  • Authorisation to access communications data or to undertake directed surveillance: an authorisation may be issued under the Regulation of Investigatory Powers Act 2000 (RIPA) to enable the ICO to gain lawful access to communications data where it is necessary and proportionate to do so for the purposes of the detection or prevention of crime (sections 22 and 28 of RIPA).

More information can be found at: https://ico.org.uk/about-the-ico/what-we-do/taking-action-data-protection.

What fines can you impose on companies that breach data protection rules?

Under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA18), the following fines can be imposed:

  • the standard maximum amount: up to €10 million or 2% annual global turnover of an organisation, whichever is higher; or
  • the higher maximum amount: up to €20 million or 4% annual global turnover of an organisation, whichever is higher.

In these circumstances, the amount imposed will depend on why the penalty notice is issued.

Under the PECR, a fine of up to £500,000 can be imposed for serious breaches.

What other measures can you take against companies that breach data protection rules?

These powers are set out in our Regulatory Action Policy at https://ico.org.uk/media/about-the-ico/documents/2259467/regulatory-action-policy.pdf. They include the following:

  • Data protection: There are a number of tools available to the ICO for taking action to change the behaviour of organisations and individuals that collect, use and keep personal information. They include criminal prosecution, non-criminal enforcement and audit.      
  • PECR: Anyone who breaches PECR may face criminal prosecution, non-criminal enforcement and audit. Freedom of Information Act: The ICO may take actions to help organisations follow the Freedom of Information Act, Environmental Information Regulations, INSPIRE Regulations, Re-use of Public Sector Information Regulations and associated codes of practice. They include non-criminal enforcement and assessments of good practice.      

What are your enforcement priorities over the next year? For example, are you targeting any particular topics, or industry sectors?

Our strategies and plans can be found here: https://ico.org.uk/about-the-ico/our-information/our-strategies-and-plans

Our strategic goals are to:

  • increase the public’s trust and confidence in how data is used and made available;
  • improve standards of information rights practice through clear, inspiring and targeted engagement and influence;
  • maintain and develop influence within the global information rights regulatory community;
  • stay relevant, provide excellent public service and keep abreast of evolving technology;
  • enforce the laws we help shape and oversee; and
  • to be an effective and knowledgeable regulator for cyber-related privacy issues.

What data protection/privacy-related guidelines have you issued to date?

The ICO has issued guidance to the public about how their data is used and made available. The guidance can be viewed at https://ico.org.uk/your-data-matters.

The ICO has issued an updated guide to data protection legislation (available at https://ico.org.uk/for-organisations/guide-to-data-protection/) for organisations to find out about their obligations and how to comply under the Acts. We’ve also issued case studies for specific sectors. Guidelines and case studies can be found at https://ico.org.uk/for-organisations.

Get unlimited access to all Global Data Review content