How the Information Commissioner’s office operates as a regulator

David SmithDeputy Information Commissioner

The Legislative Framework

• Data Protection Act 1998

• Privacy and Electronic Communications Regs 2003

• Freedom of Information Act 2000

• Environmental Information Regs 2004

EU Directive 95/46/EC

• On the protection of individuals with regard to the processing of personal data and on the free movement of such data

• Each member state shall provide that one or more public authorities are responsible for monitoring the application within its territory of the provisions adopted

• These authorities shall act with complete independence in exercising the functions entrusted to them.

Data Protection Act 1998

• Data controllers

• Notification

• Data protection principles

• Individual rights

Data Protection Act 1998

• Exemptions

• Special purposes

• Unlawful obtaining/disclosing (“blagging”)

• Information Commissioner

The Information Commissioner

• Promotion of good practice

• Provision of information and advice

• Development of Codes of Practice

• Ruling on requests for assessment (“complaints”)

• International cooperation

• Ensuring compliance

Ensuring compliance

• Information gathering powers

• Assessment notices (“compulsory audit”)

• Consensual audits

• Specific guidance for data controllers

• Report to Parliament

• Sanctions

Sanctions

• Criminal prosecution

• Civil monetary penalties

• Enforcement notices

• Formal undertakings

• Appeal to First Tier Tribunal

The ICO in Practice

• A model of good regulation

• Regard to Regulators’ Compliance Code

• Focus on risk to data privacy

• Selective to be effective

• Maximising our impact

• Importance of independence

In summary

• Enforce

• Educate

• Empower

• Engage

• Enable

www.twitter.com/iconews

Keep in touchSubscribe to our e-newsletter at www.ico.gov.uk

or find us on…