The ICO recently updated its Data Protection Enforcement Policy in the light of recommendations from the Leveson Report. The policy remains largely the same as the ICO’s earlier 2010 policy, but contains new sections specifically clarifying the regulation of the press and incorporating the ICO’s recent Information Rights Strategy. The policy again stresses that market forces and proportionality will play a key role in the ICO’s decisions whether to take enforcement action.
The ICO last week published its updated Data Protection Enforcement Policy and Datonomy has been comparing this new improved version to the last version of the policy published in 2010. The policy sets out how the ICO intends to implement its regulatory powers under the Data Protection Act 1998, Privacy and Electronic Communications Regulations 2003 and associated legislation. The updated policy follows recommendations in the Leveson Report that the ICO publish clearer practice guidelines to ensure compliance with information rights legislation by the press and adopt an enforcement policy with specific press-related guidelines.
The new policy is substantially the same as the 2010 policy and again outlines the powers available to the ICO, including criminal prosecution, monetary penalties, the service of enforcement notices and audit. The driving factors behind enforcement continue to be complaints, matters of general public concern, and a new factor of concerns raised by the new or intrusive nature of particular activities. The ICO has again stressed that it will strive to ensure any actions taken are proportionate, taking into account market forces and the public interest. Action will therefore be less likely where there are commercial incentives encouraging compliance with the legislation, and where market forces are themselves likely to regulate the non-compliance. Enforcement will also be less likely where non-compliance has been due to ignorance of the requirements, has not caused significant detriment, or where the data controller has taken reasonable steps to prevent the breach.
Whilst the new policy generally clarifies and updates the 2010 policy, it also implements various key changes, many of which are designed to implement the Leveson recommendations. These include:
- A new section on the processing of personal data for special purposes, including by the press, media organisations, or for literary or artistic purposes. The ICO’s powers are significantly reduced in this area, and it may only serve enforcement notices with permission from the court, where the processing of personal data is not for reason of a special purpose alone, or is not being processed with a view to publication. The ICO may not serve enforcement notices at all where to do so would prevent publication of material that has not previously been published. To allow enforcement, the court must be satisfied that the contravention is of substantial public importance.
- Details of enforcement powers specifically related to the press, notably the power to issue Special Information Notices requiring the supply of information necessary to determine whether personal data is being processed for a special purpose.
- Incorporation of the ICO’s Information Rights Strategy, published in December 2011. The new policy emphasises the priority sectors identified for particular attention in the ICO’s Information Rights Strategy, including healthcare, criminal justice, local government and online and mobile services. These remain key sector areas in which compliance will be more keenly monitored. The ICO will focus primarily on the public sector in taking enforcement action, and will target cases where data processing is hidden from view or where the individuals concerned have a reduced choice over how their personal data is used.
- Greater focus on the Privacy and Electronic Communications Regulations (“PECR”) 2003. The 2010 policy implicitly covered the PECR, however the new policy now explicitly stresses the ICO’s role in monitoring and enforcing the PECR as well as the Data Protection Act 1998. Penalties specific to the PECR have now been added to the policy, including fixed monetary policy notices providing for a set payment of £1,000 in relation to failure to comply with the personal data breach notifications under the PECR, and audit and notice powers specific to the PECR.