Enforcing
When organisations fail to implement good practice or fail to respond to our efforts to sort out a problem, our enforcement strategies will dictate how we use our legal powers to ensure compliance. We will take a targeted approach, putting effort into areas which pose the greatest risks.
The ICO will:
- Select the right legal sanction to use against those who ignore or refuse to accept their obligations
- Adopt a firm but fair approach
- Target our efforts where risks from non-compliance are greatest
- Prepare to take measured risks of our own when taking enforcement action
Enforcing - aim one:
Take purposeful risk-based enforcement action where obligations are ignored, where codes or guidance are not followed and where examples need to be set or issues clarified.
- Ensure that procedures and practices for prioritising and targeting cases deliver the aims of our Freedom of Information Enforcement Strategy and our Data Protection Regulatory Action Strategy. For freedom of information cases, take proportionate and risk-based action against those public authorities which fall short of expected standards. For data protection cases, selectively initiate, support or take on cases requiring enforcement or other forms of formal regulatory action, and ensure that our regulatory action work reinforces our other activities and adopts a robust approach, taking considered risks.
- Continue to encourage and promote good practice by highlighting examples of good and poor practice, particularly repeated or systemic poor practice. We will release information on the types of complaints we receive and on the organisations that we receive complaints about.
- During 2008/09, carry out chargeable spot checks to assess whether selected government
- departments are processing personal data in line with their obligations and best practice.
- Continue to press for new statutory powers and penalties to help address data protection risk.
Once these are in place, and are adequately funded, implement an updated and strengthened
Data Protection Regulatory Action Strategy:
- using additional staff and appointed experts to carry out audits and other inspections; and
- imposing the new sanctions in the most serious cases.
- We will increasingly raise the profile of our enforcement activity, by seeking publicity and
- publicising good and bad practice.
Enforcing – aim two:
To ensure organisations which handle personal information comply with their obligation to notify with us.
- Increase the number of organisations (data controllers) notifying with us by at least 2% each year. This is to be achieved by reminding data controllers to renew their notification, by targeting under-notified sectors and by encouraging the use of direct debits.
- Handle at least 40,000 new notifications and 262,000 renewals every year, with each
- transaction completed within five working days.
- Handle at least 60,000 changes to notification entries every year, with each change completed within 10 working days.
- Within three months of their approval, implement revised data protection fees regulations.