ICO consults on its regulatory responsibilities

The ICO frames its consultation published on 20 December 2021 as contributing to its vision to increase public confidence in organisations processing personal data and in those with responsibility for making public information available (see Guide to consultation). We have also explored the suggestion that the ICO might refocus on more serious threats to public trust in this article.

What is the ICO consulting on?

Taken together, the three documents the ICO is consulting on cover how it aims to carry out its regulatory responsibilities and mission to uphold information rights for the UK public. These are the:

1. Draft Regulatory action policy (RAP) – explains the ICO’s general approach when using its regulatory powers and how it works with other regulators. Details the specific legislation the ICO has responsibility for and related enforcement powers.
2. Statutory guidance on the RAP – guidance the ICO is obliged to publish under the DPA 2018. Sets out how the ICO uses its statutory powers to investigate and enforce compliance with the DPA 2018 and the UK GDPR.
3. Draft Statutory guidance on its PECR powers – how the ICO uses its statutory powers to issue monetary penalties for failures in respect of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).

RAP and linked statutory guidance – in overview

Designed to give direction and focus, the RAP sets out the ICO’s risk-based general approach to taking regulatory action against organisations or members of the public who breach legislation it monitors and enforces. The ICO notes it will only take action that is “proportionate, lawful, fair and rational” seeking to “maximise [its] impact, for example by taking action where [it considers] the risks and harms to be the greatest”.

The RAP covers, amongst other things, the ways in which the ICO sets out to:

• Prioritise actions by taking account of factors including their likely impact, as well as aligning with strategic priorities.
• Respond swiftly and effectively to serious breaches.
• Take enforcement action aiming to be “effective, proportionate, dissuasive, fair and consistent”.
• Seek to assess outcomes and the effectiveness of its actions.
• Communicate to be an open and transparent regulator.
• Work together with other regulators and agencies, specifically noting a desire to further develop co-operation with the likes of the FCA, Ofcom and the CMA through the Digital Regulation Co-operation Forum.

In our view, hints of maximising impact and prioritising actions according to impact seem to align with a potential refocus on more serious breaches and issues.

Meanwhile, the statutory guidance on regulatory action covers the ICO’s approaches to a range of regulatory actions at its disposal including issuing: information notices, assessment notices, enforcement notices and penalty notices.

On the latter, such penalty must be “an appropriate sanction for any breach” plus “an effective and proportionate deterrent to future non-compliance”. The ICO sets out factors it takes into account when considering the appropriateness of a potential penalty (see pages 22 to 23 here for the lists). Mitigating factors include:

• Early notification of the breach or issue, openness with the ICO, and degree of co-operation with the ICO during any investigation;
• Any action(s) taken to mitigate or minimise damage;
• Any early action(s) taken to ensure future compliance; and
• Any protective or preventative measures and technology available.

As for calculating the amount of any penalty, the statutory guidance says the nine-step process set out is “fair, consistent and takes all relevant evidence and representations into account”.

Statutory guidance on PECR – in overview

The updated statutory guidance on the ICO’s PECR powers sets out how the ICO issues monetary penalties for failures in respect of the PECR.

Examples of serious contraventions the ICO gives include: making large numbers of automated marketing communications to people who did not consent to them; or covertly tracking an individual’s location using mobile phone location data. The ICO can serve a monetary penalty notice (MPN) if it is satisfied such contraventions also meet the other regulatory criteria (the contravention was deliberate; the person/organisation knew or ought to have known it would occur but failed to take reasonable steps to prevent it; and, unless a breach of Regulations 19-24 PECR, it is likely to cause substantial damage or distress).

Broadly, the ICO sets out its aim with a MPN is for it to act as an “effective, proportionate deterrent to future non-compliance.” The ICO sets out various factors it may consider in determining the amount of a MPN, aiming to eliminate any financial gain or benefit obtained from non-compliance with PECR, whilst not imposing undue financial hardship. The amount of a MPN must not exceed £500,000.

What is the consultation asking?

The consultation broadly asks open-ended questions on whether you agree with the ICO’s approach set out in each document; whether the purpose of each document is clear; and whether each is helpful. It also asks for any open-ended suggestions for improvements or other issues to cover more thoroughly.

How to respond

The consultation is open until 24 March 2022.

The ICO welcomes responses from all interested parties, including data controllers.

Final updated versions of the documents are expected by the end of 2022. However, the ICO would also need to also update its policies and guidance to reflect any new legislative and regulatory reforms, including any made in response to the government’s Data: a new direction consultation.

Please see our article here for more on our predictions for the ICO’s activity in 2022.

If you found this interesting, there's a lot more comment you may find helpful on UpData, which provides regular updates on contentious, criminal and insurance risks relating to data, from cyber-attacks to regulatory enforcement.