Information Commissioner’s Office: A public consultation

Wednesday 5 January 2022

As many of you will already be aware from your own involvement in the data protection world, or perhaps having read one of our recent blogs, the Information Commissioner’s Office (ICO) is the body responsible for regulating information rights, including personal data.

The ICO are not just responsible for data protection under the UK GDPR and Data Protection Act 2018, but are the regulators under many key pieces of legislation, including the Freedom of Information Act 2000 and the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Recently, the ICO have opened a consultation with the public in relation to three key documents: Regulatory Action Policy, Statutory Guidance on our Regulatory Action and Statutory Guidance on our PECR Powers.

In opening the consultation, the ICO hopes to receive feedback from individuals and organisations in relation to these documents and the ICO’s approach under them.

The Regulation Action Policy is an update to their 2018 policy, detailing the ICO’s approach to regulation and covering all legislation under which the ICO is responsible.  The first part details more generically how they work, including how they engage with organisations and their collaborations with other regulators. The second part delves into the specific legislation, detailing what the legislation is, the ICO’s responsibilities and any action it has the power to take.

The Statutory Guidance in relation to Regulatory Action document is issued in line with the ICO’s statutory obligations regarding data protection and provides clarity as to their approach including in relation to the issue of information notices, assessment notices, enforcement notices and penalty notices.

Finally, the ICO are looking to hear from the public on their Statutory Guidance in relation to the PECR Powers, which details the ICO’s powers when it comes to monetary penalty notices for breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003. The PECR is the key instrument regulating electronic communications, including marketing by email, phone, fax or text, as well as Cookies and other tracking information. It also works closely with the older Data Protection Act of 1998.

Recently, Virgin Media Limited were served a monetary penalty under the Data Protection Act 1998 for a breach of the PECR whereby the company sent direct marketing emails despite individuals having already opted out.  This resulted in a penalty of £50,000.

If you would like to review the documents and provide the ICO with feedback, you can access the information here.

If you have any questions regarding your data protection obligations as an organisation, please email or call Blacks’ Commercial Law team on 0113 207 0000.