ICO consults on documents underpinning its approach to upholding information rights

The Information Commissioner’s Office (ICO) has launched a consultation on how it regulates the laws it monitors and enforces.

The public and other stakeholders will have until 24 March 2022 to comment on three documents:

  1. The Regulatory Action Policy (RAP), which updates the ICO’s 2018 policy and sets out the regulator’s general approach. The ICO said this document reinforces its “commitment to a proportionate and risk-based approach to enforcement”, explains the factors taken into consideration before taking regulatory action such as monetary penalties, stop-processing orders or compulsory audits; and sets out how the ICO promotes best practice and ensures compliance and how it works with other regulators. The RAP covers all 11 pieces of legislation that the ICO is responsible for including the UK GDPR, Data Protection Act 2018, Freedom of Information Act and the Privacy and Electronic Communications Regulations.
  2. Statutory Guidance on the ICO’s Regulatory Action, which focusses on the sections in DPA 2018 that specify the ICO’s legal obligations to publish guidance to help organisations navigate the law. It also explains how the ICO uses its statutory powers to investigate and enforce UK information rights legislation.
  3. Statutory Guidance on the ICO’s PECR Powers, which explains how the ICO uses its statutory powers to enforce the data protection legislation relating to electronic communications like nuisance calls, emails and texts. The guidance focusses on the ICO’s powers to issue monetary penalty notices on a person, or an officer of a body, for data protection failures in respect of the PECR. This is a power that has recently been incorporated into law.

The ICO’s Chief Regulatory Officer, James Dipple-Johnstone, said: “Information rights have never been more important or impactful. Now more than ever, we support innovation and economic growth, but both require the public to have trust in the way their personal information is used.

“We are focussed on promoting best practice and compliance but, where it is necessary, we will exercise a fair and proportionate approach to enforcement action.”

The ICO said that while the UK Government is considering changes to the current data protection regime, it would continue to update its policies when it is both necessary and appropriate. “The three documents, which are being consulted on, reflect the current regulatory landscape and are not time limited.”

Publication of final documents, which is expected by the end of 2022, will be overseen by the new UK Information Commissioner. The Statutory Guidance documents must also be ratified by the Secretary of State for Digital, Culture, Media and Sport before being laid to Parliament.