Data protection supervision according to British law

The Information Commissioner (IC) is the United Kingdom’s Data Protection Ombudsman and runs the Information Commissioner‘s Office (ICO).

The data protection Ombudsman is independent of government and reports to Parliament annually. In addition to the ICO’s headquarters in Wilmslow (England) there are regional branches in Cardiff (Wales), Edinburgh (Scotland) and Belfast (Northern Ireland). The ICO has over 350 employees.

The ICO deals with overseeing the following laws:

  • Data Protection Act (DPA) 1998 (ENG)
  • Law on electronic communication (The Privacy and Electronic Communications (EC Directives) Regulations 2003) PECR) (ENG ))


Schedule 5 of the Data Protection Act (DPA) 1998 (ENG) contains provisions on organising the UK Data Protection Authority.

The Queen appoints the data protection Ombudsman, on the advice of the Prime Minister, for a period of five years. The candidate for the office is chosen in advance by the Lord Chancellor with the help of an election procedure. He may only be dismissed from his office at his own request, by the Queen, or following the agreement of both Houses of Parliament.

The data protection Ombudsman appoints one to two deputies and sets the number of employees.

Duties of the data protection authority

The ICO monitors compliance with the DPA and the law on electronic communication. In addition, the ICO draws up guides on data protection related questions and deals with complaints from data subjects.

In 2012, the ICO published a guide on handling personal data, which had been drawn up in accordance with Article 51 of the DPA. The guide is aimed at organisations that process personal data and not only describes how to handle that kind of data but also contains instructions on practical measures that can be taken to meet the demands of the DPA.

Link to the guide

In Schedule 5 of the DPA, the available methods are listed, which are at the ICO’s disposal for monitoring compliance with the DPA.

The ICO’s duties also include:

  • Registering the data controller
  • Processing entries
  • Measures for monitoring the DPA and PECR
  • International obligations

Registering the data controller

The DPA requires organisations, which process personal data and are not covered by exceptions, to register with the ICO (see the chapter reporting obligation). Non-compliance is a criminal offence.

Name and address of the registered organisations and a description of the data processing are published in a directory.

Submitting to the ICO

The data protection authority is not obliged, on the basis of complaints, to initiate investigations into a data collector’s processing. The authority decides independently of whether an investigation is initiated.

As soon as a complaint leads to an investigation, the organisation in question is made aware of its misconduct and given instructions. Should the organisation not follow the instructions, the ICO can take enforcement measures and, in serious cases, issue a fine of up to £ 500,000.

Measures for monitoring the DPA and PECR

To guarantee compliance with the DPA and the PECR, the ICO mainly issues notices and imposes fines.

Article 31 of the PECR establishes that the provisions in Schedule 5 of the DPA also apply to the PECR.

In accordance with Article 41A of the DPA, the ICO has the authority to carry out compulsory audits. To be able to carry out this kind of investigation and act accordingly, the ICO has access to all personal data and information required for an investigation as well as access to all premises where the data collector keeps information relevant for processing. An investigation is always concluded by means of a formal decision (assessment notice).

Should this kind of investigation be denied to the data protection authority or if insufficient information is passed on to the data protection authority with the result that the authority is unable to assess whether the data processing was carried out in a legal manner, then the data protection authority may under Article 47, impose administrative penalties and prohibit the processing of data temporarily or definitively.

If a violation of DPA is established, the ICO may, in accordance with Article 45, make arrangements for rectification, impose administrative penalties and, in urgent cases, prohibit the processing of data temporarily or definitively.

Before the data protection authority decides to impose a fine in accordance with Articles 44 or 45, the data controller must be given the opportunity to take a stand in terms of the decision (see Article 46). In the event of gross misconduct, the data protection authority may, however, immediately impose fines. The temporary decision is reviewed once the deadline for taking a position has expired.

The value of the penalties is to be determined in consideration of the extent of the crime and the financial circumstances of the person penalised. It is possible to appeal against the decisions of the Swedish data protection authority before the administrative court (cf. Article 51).

The data protection authority may not demand that a data collector deletes already processed data. In accordance with Article 47, deletion may only be enacted following an administrative court decision.

International obligations

The ICO is obliged to collaborate with European and other international partners, including the EU Commission and with other data protection authorities. This collaboration encompasses:

  • An exchange of information and best practices;
  • Supporting with complaints, subsequent investigations and enforcement measures;
  • Collaborating with the aim of improving data protection and preparing joint opinions and guides.

More information in the ICO’s international obligations can be found on its website: Link

 Additional information on the ICO’s measures

In-depth information on the ICO’s measures in terms of monitoring the DPA and the PECR have been published on the ICO’s website:

Complaints on the ICO’s measures are heard by the First Tier Tribunal, (Information Rights) in the first instance. The First Tier Tribunal only hears complaints on enforcement notices, orders and fines issued by the ICO.