The data protection powers of the Information Commissioner's Office are to:
- conduct assessments to check organisations are complying with the Act;
- serve information notices requiring organisations to provide the Information Commissioner's Office with specified information within a certain time period;
- serve enforcement notices and 'stop now' orders where there has been a breach of the Act, requiring organisations to take (or refrain from taking) specified steps in order to ensure they comply with the law;
- prosecute those who commit criminal offences under the Act;
- conduct audits to assess whether organisations processing of personal data follows good practice; and
- report to Parliament on data protection issues of concern.
Appeals from notices are heard by the Information Tribunal, an independent body set up specifically to hear cases concerning enforcement notices or decision notices issued by the Information Commissioner.
New power to issue monetary penalties
The Information Commissioner’s Office expects its new power to issue monetary penalties to come into force on 6 April 2010, allowing the ICO to serve notices requiring organisations to pay up to £500,000 for serious breaches of the Data Protection Act.
The ICO has produced statutory guidance about how it proposes to exercise this new power, which has been approved by the Secretary of State for Justice.
Strategy for Data Protection Regulatory Action
.