Penalties – the ICO’s Involvement
In cases where the Act has been breached, the Information Commissioner’s Office can:
- Serve information notices requiring organisations to provide the ICO with specified information within a certain time period.
- Commit an organisation to a particular course of action in order to improve its compliance.
- Serve enforcement notices and ‘stop now’ orders where there has been a breach, requiring organisations to take (or refrain from taking) specified steps to ensure they comply with the law.
- Conduct consensual assessments (audits) to check organisations are complying.
- Conduct compulsory audits to assess whether an organisation’s processing of personal data follows good practice.
- Issue monetary penalty notices.
- Prosecute those who commit criminal offences under the Act.
- Report to Parliament on data protection issues of concern.
A monetary penalty will only be appropriate in the most serious breaches of the Data Protection Act or the Privacy and Electronic Communications Regulations.
When deciding the amount of a monetary penalty, the Commissioner not only takes into account the seriousness of the breach but also other factors including the size, financial and other resources of a data controller.
It is not the purpose of a monetary penalty to impose undue, financial hardship.
The amount must not exceed £500,000 and is not kept by the Commissioner, but paid into the Consolidated Fund owned by HM Treasury.
Failure to respond to information, enforcement or assessment notices can result in prosecution.