Data protection in UK (England and Wales): overview

A Q&A guide to data protection in the UK.

This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.

To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool.

This article is part of the global guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-guide.

Mark Watts and Bathilde Waquet, Bristows LLP
Contents

Regulation

Legislation

1. What national laws regulate the collection and use of personal data?

General laws

Directive 95/46/EC on data protection (Data Protection Directive) has been implemented in the UK by the Data Protection Act 1998 (DPA).

Sectoral laws

The key sectoral laws are:

  • The Privacy and Electronic Communications (EC Directive) Regulations 2003, as amended (PECR), which implement Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector.

  • The Regulation of Investigatory Powers Act 2000 (RIPA), which regulates the interception of communications, the acquisition of communications data and the use of surveillance powers.

  • The Data Retention and Investigatory Powers Act 2014 (DRIPA) which governs the retention of "communications data", but which also contains a "sunset clause", repealing it on 31 December 2016. Depending on the outcome of the ruling of the Court of Justice of the European Union in joined cases C-698/15 and C-203/156, DRIPA's expiry date may be brought forward.

  • At the time of writing, the Investigatory Powers Bill is currently undergoing a review by the House of Lords. If it is passed, it will replace both RIPA and DRIPA and will consolidate the legal framework on the use of investigatory powers by UK law enforcement and intelligence agencies.

  • The Freedom of Information Act 2000, as amended (FOIA), which regulates access to information held by public authorities.

 

Scope of legislation

2. To whom do the laws apply?

Responsibility to comply with most obligations set out in the Data Protection Act (DPA) lies with "data controllers". These are persons (individuals or legal entities) who determine, alone or jointly, the "purposes and means" of data processing (section 1(1), DPA).

Guidance issued by the Information Commissioner's Office places emphasis on the purposes rather than on the means of processing in determining whether a person is a data controller. Where a statutory duty involves the processing of personal data, the person subject to that duty is deemed to be the data controller for the purpose of the DPA (section 1(4), DPA).

"Data processors" are not directly subject to the DPA. These are individuals or legal entities (other than a data controller's staff) that process personal data on behalf of a data controller (section 1(1), DPA).

 
3. What data is regulated?

The Data Protection Act (DPA) applies to "personal data", which is data relating to a living individual who can be identified from this data or from a combination of this data with other information in the possession of, or likely to come into the possession of, the data controller. Personal data includes (section 1(1), DPA):

  • Opinions about an individual.

  • Any indication of the intentions of the data controller with respect to an individual.

In its Online Code of Practice, the Information Commissioner's Office (ICO) provides that where online information is collected and analysed with the intention of distinguishing one individual from another, and of taking a certain action in respect of this individual, that information is personal data.

"Data" is any information which is (section 1(1), DPA):

  • Held, or intended to be held, on a computer system.

  • Recorded, or intended to be recorded, as part of a relevant filing system and processed otherwise than by automatic means. A relevant filing system is defined as a set of records that are structured in a way allowing ready access to information about individuals.

  • Information forming part of an accessible record (that is, health or educational records, or public information held by public authorities), whether or not falling within the above categories.

  • Any information held by a public authority that would not otherwise be caught up by this definition.

The DPA also includes a definition of "sensitive personal data" (see Question 11).

 
4. What acts are regulated?

The Data Protection Act (DPA) regulates the "processing" of personal data. This term is defined broadly as meaning virtually any activity carried out on personal data, such as data collection, recording, use, storage, disclosure, and destruction (section 1(1), DPA).

 
5. What is the jurisdictional scope of the rules?

The Data Protection Act (DPA) applies if one of the following conditions is satisfied (section 5(1), DPA):

  • The data controller is established in the UK and personal data is processed in the context of such establishment.

  • The data controller is not established in the UK or in any country in the European Economic Area but uses equipment in the UK to process personal data (other than for transit).

The following persons are regarded as being "established" in the UK (section 5(3), DPA):

  • Individuals ordinarily residents in the UK.

  • UK-registered companies.

  • UK-formed partnerships or other unincorporated associations.

  • Any person who does not fall within the above categories but maintains an office, branch, agency or a regular practice in the UK.

 
6. What are the main exemptions (if any)?

The main exemptions from the Data Protection Act (DPA) relate to data processing for specific purposes. These include (Part IV and Schedule 7, DPA):

  • Criminal justice, taxation or regulatory activities.

  • The disclosure of personal data required by law or necessary for legal proceedings or to obtain legal advice.

  • The provision of confidential references.

  • Domestic purposes.

  • Management forecasting or negotiations.

  • Research, statistical or historical purposes.

  • Journalism, literature and art.

  • Personal data required to be made public.

Exemptions are not a blanket exclusion of the rights and obligations set out in the DPA. They only exempt processing from two categories of specific provisions. The first category of provisions exempted by the DPA is the "subject information provisions". These include a data controller's duty to (section 27(2), DPA):

The second category of provisions exempted by the DPA is the "non-disclosure provisions". These include a data controller's duty to (section 27(4), DPA):

  • Process data fairly and lawfully (with the exclusion of the obligation to satisfy a legal condition for processing).

  • Collect personal data only for specified and lawful purposes, and not further process it in a manner incompatible with these purposes.

  • Ensure personal data is adequate, relevant and not excessive in relation to the purposes for which it is processed.

  • Ensure personal data is accurate and, where necessary, kept up to date.

  • Ensure personal data is not to be kept for longer than necessary in relation to the purposes for which it is processed.

  • Comply with the data subject's right to object to processing that is likely to cause damage or distress (see Question 13).

  • Comply with the data subject's right to rectify, block, erase or destroy inaccurate information about them (see Question 14).

The application of each exemption is subject to certain conditions provided in the DPA. The Information Commissioner's Office has made clear that exemptions should be construed narrowly, and that data controllers should only depart from the DPA to the minimum extent necessary to protect the particular purposes of an exemption.

 

Notification

7. Is notification or registration required before processing data?

Data controllers processing personal data in an automated form must notify the Information Commissioner's Office (ICO) unless they are exempt (section 18, Data Protection Act ( DPA)). Failure to notify is a criminal offence.

Organisations processing personal data only for one of the following purposes are exempt from the requirement to notify:

  • Staff administration, advertising, marketing and public relations, or accounts and records as a core business process.

  • Maintenance of a public register.

  • Personal, family, household or recreational reasons.

  • Judicial functions.

  • Establishing membership or support for a not-for-profit organisation, or administering activities for its members or contacts.

A notification must include certain details about the processing activities, such as:

  • The identification of the data controller.

  • The purposes of the data processing.

  • The categories of personal data, data subjects and recipients.

  • Whether international data transfers are involved.

These details are used by the ICO to make an entry in a register of data controllers, which is made available to the public.

The cost of notification depends on the size and turnover of the data controller:

  • GB£500 for:

    • organisations with a turnover of GB£25.9 million and more than 249 employees; or

    • public authorities with more than 249 employees.

  • GB£35 for:

    • all other companies, regardless of their size and turnover;

    • charities;

    • small occupational pension schemes; or

    • organisations of less than one month old.

Notifications must be renewed annually. Any changes to a notification must be reported to the ICO.

 

Main data protection rules and principles

Main obligations and processing requirements

8. What are the main obligations imposed on data controllers to ensure data is processed properly?

Personal data must be processed by data controllers in accordance with eight data protection principles set out in the Data Protection Act (DPA), unless an exemption applies (section 4, DPA).

The Data Protection Principles are set out in Schedule 1 to the DPA as follows:

  • Personal data must be processed fairly and lawfully. In particular, one of the legal conditions for processing must be satisfied (see Questions 9 and 10).

  • Personal data must be collected only for specified and lawful purposes, and must not be further processed in a manner incompatible with those purposes.

  • Personal data must be adequate, relevant and not excessive in relation to the purposes for which it is processed.

  • Personal data must be accurate and, where necessary, kept up to date.

  • Personal data must not be kept for longer than necessary in relation to the purposes for which it is processed.

  • Personal data must be processed in line with data subjects' rights.

  • Appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

  • Personal data must not be transferred to a country outside of the European Economic Area unless that country ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing.

The Information Commissioner's Office has issued guidelines to assist data controllers in complying with the Data Protection Principles.

 
9. Is the consent of data subjects required before processing personal data?

General rule

Data controllers must satisfy one of the legal grounds for processing (see Question 9), of which consent is one option but not the only option.

Since it may be difficult to gain a valid consent in some circumstances (for example, employees), and because consent may be withdrawn at any time, data controllers often need to rely on other grounds than consent in order to legitimise a particular processing activity.

Form of consent

Consent is not defined in the Data Protection Act (DPA). Under the Data Protection Directive, consent means any freely given, specific and informed indication of an individual's wishes by which he or she signifies his or her agreement to the processing of his or her personal data (Article 2, Data Protection Directive).

The DPA does not include any requirement regarding the form in which consent must be obtained. Guidance from the Information Commissioner's Office (ICO) suggests that consent can be given in any form (for example, online, orally, or in writing) and can be express or implied, provided that the following conditions are met:

  • Positive and definite action is taken by the data subject to signify consent.

  • The data subject understands the implication of his or her action.

Explicit consent is required for the processing of sensitive personal data (see Question 11).

Children's data

The DPA does not provide for an age threshold for consent to be valid.

In its Online Code of Practice, the ICO provides that children under 12 should not be able to provide valid consent, and that for children over 12 it must be determined on a case-by-case basis whether they are mature enough to provide consent, taking into account the level of complexity of the data processing and the risk presented to the child.

 
10. If consent is not given, on what other grounds (if any) can processing be justified?

Alternative grounds to consent are where the processing is necessary for one of the following purposes (Schedule 2, Data Protection Act (DPA)):

  • Performance of a contract to which the data subject is a party.

  • Compliance with a request to contract from the data subject.

  • Compliance with a non-contractual legal obligation that applies to the data controller.

  • Protection of the data subject's "vital interests" (that is, circumstances of life or death).

  • Administration of justice, or the exercise of statutory, governmental or other public functions.

  • The legitimate interest of the data controller or a third party to whom the data is disclosed. The interest must be balanced against those of the individuals concerned. This condition is not satisfied if the processing is unwarranted because it is prejudicial to the rights and freedoms or legitimate interest of the data subject.

For each of these conditions, the "necessity test" must be met. This requires the existence of a substantial link between the processing activity and its purpose. The Information Commissioner's Office has provided that this test will not be met in one of the following situations:

  • The relevant purpose can be achieved via other reasonable means.

  • The processing is merely convenient or of interest to the data controller.

 

Special rules

11. Do special rules apply for certain types of personal data, such as sensitive data?

"Sensitive personal data" is personal data consisting of information as to (section 2, Data Protection Act (DPA)):

  • Racial or ethnic origin.

  • Political opinion.

  • Religious beliefs or other beliefs of a similar nature.

  • Trade union membership.

  • Physical or mental health.

  • Sexual life.

  • The commission (or allegation) of an offence.

  • Proceedings for an offence, the disposal of such proceedings or the sentence handed down.

In addition to relying on one of the standard conditions for processing personal data (see Questions 9 and 10), data controllers must satisfy one of the following conditions when processing sensitive personal data (Schedule 3, DPA):

  • The data subject has given his or her explicit consent.

  • The processing is necessary for compliance with employment law.

  • The processing is necessary to protect the vital interests of the data subject (where his or her consent cannot be given or reasonably obtained) or another individual (where the individual's consent has been unreasonably withheld).

  • The processing involves data that has deliberately been made public by the data subject.

  • The processing is carried out by a non-for-profit organisation and does not involve the disclosure of personal data to third parties without the consent of the data subject.

  • The processing is necessary in relation to legal proceedings, obtaining legal advice, or otherwise establishing, exercising or defending legal rights.

  • The processing is necessary for the administration of justice, or for exercising statutory or governmental functions.

  • The processing is necessary for anti-fraud purposes.

  • The processing is necessary for monitoring equality and opportunity, and is carried out with appropriate safeguards for the rights and freedoms of the data subjects.

  • The processing is necessary for medical purposes and is undertaken by a health professional or a person who is bound by an equivalent duty of confidentiality.

Additional grounds for processing sensitive personal data may be specified in other statutory instruments for a range of purposes essentially in the public interest, such as the prevention or detection of crime.

The Privacy and Electronic Communications Regulations (PECR) contain specific restrictions to the use of "traffic data" (Regulations 7 and 8, PECR) and "location data" (Regulation 14, PECR) by public communications providers.

 

Rights of individuals

12. What information should be provided to data subjects at the point of collection of the personal data?

Data subjects must be provided with the following information, except where they already have it or where data is not collected directly from them and this would involve a disproportionate effort (Schedule 1, Part 2, first principle, Data Protection Act (DPA)):

  • The identity of the data controller and its representative (if any).

  • The purposes for which personal data is intended to be processed.

  • Any additional information which is necessary in the circumstances for the processing to be fair.

This information must be made available to data subjects before the collection of personal data or, where data is not collected directly from them, as soon as is practicable after the first time personal data is processed.

When deciding what additional items of information may be provided in the interest of fairness, the Information Commissioner's Office recommends considering the nature of the personal data and a data subject's reasonable expectations. Essentially, data controllers should consider informing data subjects about any intended activity that is likely to be regarded as unexpected, objectionable or controversial.

 
13. What other specific rights are granted to data subjects?

Data subjects have the right to obtain from a data controller a copy of the information constituting their personal data in a permanent form, as well as a description of the purposes for which the data is being processed and the recipients of classes of recipients to which the data are or may be disclosed (section 7, Data Protection Act (DPA)). Data controllers must respond to an access request promptly or within 40 days of receipt, and can require the payment of a fee of up to GB£10 in certain circumstances.

Data subjects are entitled, by written notice, to require a data controller to stop, or not to begin, the processing of their personal data if the processing is likely to cause or is causing unwarranted substantial damage or distress (section 10, DPA). Data controllers must respond within 21 days on receipt of the notice.

Data subjects also have a right to prevent, by written notice, the processing of their personal data for direct marketing purposes, irrespective of whether they have previously consented to the activity (section 11, DPA). Data controllers must then stop sending the marketing communication within a reasonable time. The Information Commissioner's Office's guidance on direct marketing recommends a period of:

  • 28 days for calls and electronic marketing.

  • Two months for postal marketing.

Where decisions that significantly affect a data subject are taken on the sole basis of the automated processing of personal data, a data subject has the right to:

  • Request to be informed about the logic involved in that decision-taking (section 7, DPA).

  • Object in writing to such automated decision-taking and ask the data controller to reconsider a decision taken by automated means (section 12, DPA).

Data subjects have a right to claim compensation from data controllers for damage and distress caused to them by a contravention of the DPA (section 13, DPA). In Google Inc v Vidal, the Court of Appeal found that data subjects are entitled to claim compensation for emotional distress only, without having to prove pecuniary damage. (see Question 26).

 
14. Do data subjects have a right to request the deletion of their data?

Data subjects have a right to apply to a court for an order to rectify, block, erase or destroy inaccurate information about them, as well as any other personal data which contains an opinion based on the inaccurate information (section 14, Data Protection Act).

The court can also order the data controller to notify any third party to whom inaccurate data has been disclosed of the rectification, blocking, erasure or destruction.

 

Security requirements

15. What security requirements are imposed in relation to personal data?

Data controllers must (Schedule 1, Part II, seventh principle, Data Protection Act (DPA)):

  • Implement appropriate technical and organisational security measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

  • Take reasonable steps to ensure the reliability of staff who have access to personal data.

  • Take additional steps where the processing of personal data is carried out by a data processor (see Question 17).

While the DPA remains silent on the types of security measures to be implemented, it provides that the level of security must be appropriate to:

  • The nature of the personal data in question.

  • The harm that might result from its improper use, or from its accidental loss or destruction.

In assessing the adequate level of security, a data controller must consider the state of technological development and the costs of implementing any measures.

The Information Commissioner's Office's guidance states that there is no one solution to data security, and that each data controller must adopt a risk-based approach in deciding the level of security needed depending on its own circumstances (for example, staff number, access controls, size of premises, third party disclosure).

 
16. Is there a requirement to notify personal data security breaches to data subjects or the national regulator?

Under the Privacy and Electronic Communications Regulations (PECR), providers of a public electronic communications service must notify the Information Commissioner's Office (ICO) within 24 hours of becoming aware of a security breach, and must consider notifying their customers accordingly (Regulation 5A, PECR).

There is no legal obligation for data controllers to report personal data security breaches under the Data Protection Act (DPA). However, the ICO's guidance has made clear that serious breaches must be notified to the ICO and the individuals concerned where it is in their interest.

According to the ICO's guidance, the seriousness of the breach should be assessed in light of the following criteria:

  • The potential detriment to data subjects (for example, emotional distress, physical and financial damage).

  • The volume of personal data lost, released or corrupted.

  • The sensitivity of the data lost, released or corrupted.

Where a breach is reported to the ICO, the following information should be included:

  • Details of the breach (for example, timing and circumstances, existing measures in place at the time of the breach).

  • Details of the personal data involved (for example, the nature of the data, the number of individuals affected, potential effects on individuals, complaints received).

  • Description of the containment and recovery measures implemented.

  • Description of any training and guidance implemented by the data controller.

  • Details of previous contacts with the ICO regarding any previous incidents.

 

Processing by third parties

17. What additional requirements (if any) apply where a third party processes the data on behalf of the data controller?

Where a data processor processes personal data on behalf of a data controller, the data controller must (Schedule 1, Part II, seventh principle, Data Protection Act):

  • Choose a data processor that provides sufficient guarantees about its security measures governing the processing in question.

  • Take reasonable steps to verify that such measures are complied with.

  • Enter into a written agreement requiring the data processor to act only on instructions of the data controller and to have in place security measures that are commensurate to those implemented by the data controller.

 

Electronic communications

18. Under what conditions can data controllers store cookies or equivalent devices on the data subject's terminal equipment?

Data controllers must provide notice to, and obtain consent from, users in relation to the setting of cookies on their terminal equipment (Regulation 6, Privacy and Electronic Communications Regulations ( PECR)). The Information Commissioner's Office (ICO) recommends that the amount of time before a user is provided with information and choice about cookies should be reduced as much as possible.

The PECR is not prescriptive as to the content of the notice and how it should be delivered. The ICO recommends that a prominent notice should include at least the categories of cookies served and their main purposes.

In its most recent guidance, the ICO has confirmed that implied consent is a valid form of consent provided:

  • Some action is taken by users from which consent can be inferred.

  • Users have a reasonable understanding that by taking that action they are agreeing to cookies being set.

The ICO has emphasised that it should not be merely relied on the fact that individuals may have read a privacy policy. Explicit consent may be more appropriate in some circumstances (for example, where sensitive personal data is collected).

While PECR expressly states that browser settings may signify user consent (Regulation 6, PECR), the ICO considers that browser settings do not provide individuals with sufficient means to provide consent at present.

Consent is not required for cookies whose sole purpose is to carry out the transmission of a communication over an electronic network and for cookies that are strictly necessary for the provision of a requested information service (Regulation 6, PECR).

 
19. What requirements are imposed on the sending of unsolicited electronic commercial communications (spam)?

Marketing by electronic communications

Under the Privacy and Electronic Communications Regulations (PECR), "electronic mail" includes any type of message sent over a public electronic communication network where the message can be stored electronically, such as e-mail, SMS, MMS and instant messaging (Regulation 2, PECR).

The general rule is not to send any electronic mail to individuals unless they have specifically consented to receiving it (that is, they have "opted-in"). There is an exception to this requirement (often referred to as the "soft opt-in") where the following conditions are met (Regulation 22, PECR):

  • The contact details of the recipient have been obtained in the context of a sale (or negotiation of a sale) of a product or service by the sender to the recipient.

  • The marketing communication is only for the sender's own products or services which are similar to those previously sold to the recipient.

  • The recipient has been given the possibility to opt-out of the use of his or her information for direct marketing both on the first collection of his or her details and in every message after that.

These rules do not apply to corporate subscribers. However, where the communication is directed at a specific individual working at an organisation, this individual has a right to opt-out of receiving direct marketing under the Data Protection Act (see Question 13).

The sender must not disguise or conceal its identity and the commercial nature of the communication must be clearly identifiable. The sender must also provide a valid contact address for recipients to be able to opt-out (Regulation 23, PECR).

Marketing by telephone

Live calls may only be made to individuals or corporate subscribers who have not registered with the Telephone Preference Service or who have not opted-out in the past (Regulation 21, PECR).

Use of an automated calling system is subject to an individual's specific consent. This restriction does not apply for corporate subscribers (Regulation 19, PECR).

In May 2016, the PECR were amended to require anyone making a marketing call (both live calls and via an automated calling system) to display their number.

Non-limited liability partnerships in England and Wales and sole traders are regarded as individual subscribers for the purpose of the PECR.

 

International transfer of data

Transfer of data outside the jurisdiction

20. What rules regulate the transfer of data outside your jurisdiction?

The Data Protection Act (DPA) does not include any specific restrictions to the transfer of personal data to countries within the European Economic Area.

Personal data may not be transferred from the UK to a country outside of the European Economic Area which does not offer an adequate level of protection unless one of the following conditions is satisfied (Schedule 4, DPA):

  • The data subject has given his or her consent to the transfer.

  • The transfer is necessary for the performance of a contract with the data subject, or for compliance with a request to contract from the data subject.

  • The transfer is necessary in relation to the conclusion or performance of a contract with a third party in the data subject's interest or at his request.

  • The transfer is necessary for reasons of public interest.

  • The transfer is necessary in order to protect the vital interests of the data subject.

  • The transfer is made from a public register.

  • The transfer is necessary in connection with legal proceedings, for the purpose of obtaining legal advice, or establishing, exercising or defending legal rights.

  • The transfer is made on the basis of terms that have been approved by the Information Commissioner's Office (ICO) as providing adequate safeguards for the rights and freedoms of data subjects, such as contractual clauses approved by the European Commission (EC Model Clauses).

  • The transfer has been authorised by the ICO as providing adequate safeguards for the rights and freedoms of data subjects.

The adequacy of the level of protection associated with a particular transfer may be ensured in one of the following ways:

  • The recipient country has been the subject of a "positive finding of adequacy" by the EU Commission.

  • The data controller has conducted his own adequacy assessment in light of the relevant factors listed out in the DPA.

  • The data controller has drawn up its own data transfer agreement after an assessment to bring the level of data protection up to an adequate level.

Although they are not explicitly mentioned in the DPA, Binding Corporate Rules that have been approved by the ICO as providing adequate safeguards for the rights and freedoms of data subjects may validly be relied on to transfer personal data to entities within the same group and located outside of the UK.

21.

 
21. Is there a requirement to store any type of personal data inside the jurisdiction?

There is no statutory requirement to store any type of personal data in the UK.

 

Data transfer agreements

22. Are data transfer agreements contemplated or in use? Have any standard forms or precedents been approved by national authorities?

Two types of data transfer agreements may be used by data controllers:

  • Agreements based on the EC Model Clauses that can include additional provisions provided they do not impact the effect of the EC Model Clauses.

  • Ad hoc agreements drawn up by data controllers themselves to ensure adequacy.

The Information Commissioner's Office recommends using data transfer agreements (as well as binding corporate rules), as they ensure ongoing protection to personal data after the transfer.

 
23. Is a data transfer agreement sufficient to legitimise transfer, or must additional requirements (such as the need to obtain consent) be satisfied?

Data transfer agreements are sufficient to legitimise data transfers. However, the other Data Protection Principles set out in the Data Protection Act must also be complied with (see Question 8).

 
24. Does the relevant national regulator need to approve the data transfer agreement?

Data transfer agreements which are based on the EC Model Clauses (in their unamended form) do not need to be authorised by the Information Commissioner's Office.

Although the Data Protection Act (DPA) grants the ICO the power to authorise data transfers, the ICO's view is that data controllers are in a better position to decide if there is an adequate level of data protection in light of the safeguards implemented around a particular transfer. As a result, the ICO does not authorise data transfer agreements other than in exceptional circumstances.

Ad hoc data transfer agreements may be subject to future challenge by the ICO. In this case, data controllers must be prepared to demonstrate that such agreements provide adequate safeguards.

 

Enforcement and sanctions

25. What are the enforcement powers of the national regulator?

The main enforcement powers of the Information Commissioner's Office (ICO) are to:

  • Make an assessment of the compliance of a data controller with the Data Protection Act (DPA) on the request of a data subject (section 42, DPA).

  • Serve assessment notices to determine whether public bodies acting as data controllers comply with the DPA (section 41B, DPA).

  • Serve information notices requiring specific information from data controllers within a certain time period (section 43, DPA; Regulation 3, Privacy and Electronic Communications Regulations (PECR)).

  • Conduct audits to determine whether service providers are complying with their security obligations under the PECR (Regulation 5, PECR).

  • Conduct consensual audits of data controllers' processing activities (section 51(7), DPA).

  • Serve enforcement notices requiring data controllers to take, or refrain from taking, specified steps. Failure to comply with an enforcement notice is an offence, unless data controllers can demonstrate they have exercised all due diligence in complying with the notice (section 40, DPA; Regulation 31, PECR).

  • Ask data controllers to enter into a letter of undertaking, committing them to a particular course of action.

  • Apply to the court for a search warrant (entry, inspection and seizure) where there are reasonable grounds for suspecting that the DPA or PECR have been contravened or that an offence under the DPA or PECR has been committed (section 50 and Schedule 9, DPA; Regulation 31, PECR).

  • Issue monetary penalty notices up to GB£500,000 for serious and deliberate breach of the DPA or PECR (see Question 26).

  • Issue fixed monetary penalty notices of GB£1,000 on service providers who fail to notify a security breach under the PECR (Regulation 5C, PECR).

  • Prosecute data controllers who commit offences under the DPA (section 60, DPA).

 
26. What are the sanctions and remedies for non-compliance with data protection laws?

Administrative sanctions

The Information Commissioner's Office (ICO) may impose monetary penalty notices for serious breaches of the Data Protection Act (DPA) and the Privacy and Electronic Communications Regulations (PECR) likely to cause substantial damage or substantial distress, where the breach was deliberate or the data controller knew or ought to have known that there was a risk of this and failed to take reasonable steps to prevent it (section 55A, DPA; Regulation 31, PECR).

In April 2015, an amendment to the PECR removed the requirement for the ICO to consider whether the contravention is likely to have caused substantial damage or substantial distress with respect to the direct marketing rules set out in the PECR.

The largest monetary penalty issued to date by the ICO is GB£400,000 awarded against TalkTalk, a telecommunications service provider, for failing to take basic cyber security measures to prevent hackers accessing the personal data of 156,959 customers, including their bank details.

Criminal sanctions

Where contravention to the DPA is an offence, data controllers (including their directors in certain circumstances) may be liable to an unlimited fine on conviction by the Magistrate's Court or the Crown Court (sections 60 and 61, DPA).

The DPA does not provide for custodial sentences. The government has the power by order to provide for imprisonment of up to two years for unlawfully obtaining or disclosing personal data (section 55, DPA). However, this power has not been exercised to date.

Civil sanctions and remedies

Data subjects can privately claim compensation from data controllers in the courts for damage and distressed caused to them by a contravention of the DPA (section 13, DPA). In Google Inc v Vidal, the Court of Appeal found that data subjects are entitled to claim compensation for emotional distress only, without having to prove pecuniary damage.

Data subjects can also enforce specific rights before the courts in the event that a data controller has failed to comply with written notices or requests served by a data subject under the DPA (see Questions 13 and 14).

 

Regulator details

Information Commissioner's Office (ICO)

Wwww.ico.gov.uk

Main areas of responsibility. The ICO is an independent public body led by the Information Commissioner, Elizabeth Denham. It is responsible for overseeing and enforcing compliance with the Data Protection Act, Privacy and Electronic Communications Regulations, Freedom of Information Act and the Environmental Information Regulations 2004.



Online resources

W www.legislation.gov.uk/

Description. Official website for all UK legislation, managed by the National Archives on behalf of HM Government. All legislation is up-to-date.

W www.bailii.org/

Description. Website providing access to British, Irish and EU case law and maintained by the British and Irish Legal Information Institute (BAILII). However, it does not indicate whether cases remain good law.



Contributor profiles

Mark Watts, Partner

Bristows

T +44 20 7400 8000
E mark.watts@bristows.com
W www.bristows.com

Professional qualifications. Solicitor, 1995; Partner, 2003; Joint Managing Partner, 2010

Areas of practice. IT (software development, system deployment); outsourcing; e-commerce; data protection.

Recent transactions

  • Advising companies deploying business-critical IT platforms and applications.
  • Advising on the creation of social networking websites, cloud computing, mobile apps and online trading websites.
  • Advising many multinational companies on general international data protection compliance issues, particularly on international data transfers matters, such as Binding Corporate Rules.
  • Advising companies how to respond to data protection enforcement actions, including Monetary Penalty Notices.
  • Particular expertise in data protection (formerly Global Privacy Counsel at IBM).

Non-professional qualifications. BSc (Hons.) Physics, University of Wales; D.Phil Semiconductor Physics, University of Oxford

Professional associations/memberships. Mark is on the correspondent panel of Computer Law & Security; member of the editorial board of Privacy & Data Protection.

Recommended for:

  • Data Protection and Information Technology (Key Individual) - Chambers and Partners (2016/2015/2014).
  • Outsourcing (Key Individual) - Chambers and Partners (2016/2015/2014).
  • Media and Entertainment – Legal 500 (2015).
  • IT and Telecoms (leading Individual) - Legal 500 (2015/2014).
  • Data Protection (leading Individual) - Legal 500 (2015/2014).
  • Information Technology: Data Protection - Best Lawyers UK (2015).
  • Technology, Media and Telecommunications (Most Highly Regarded Individual) - Who's Who Legal (2016/2015).
  • Technology, Media and Communications - Super Lawyers UK (2014).

Bathilde Waquet, Associate

Bristows

T +44 20 7400 8000
E bathilde.waquet@bristows.com
W www.bristows.com

Professional qualifications. Avocate au Barreau de Paris, France, 2011; Registered European Lawyer, UK, 2014

Areas of practice. Data protection; e-commerce; IT.

Recent transactions

  • Advising clients on the implementation and co-ordination of global compliance programmes, including preparing for the General Data Protection Regulation.
  • Helping clients put in place adequate data transfer solutions, including Binding Corporate Rules, EU Model Clauses and certification under the new Privacy Shield.
  • Advising on a wide range of data protection compliance issues, such as direct marketing, subject access requests, HR data handling, vendor procurement, surveillance and law enforcement requests.
  • Managing data breaches and dealing with data protection authorities.
  • Focusing on data protection issues relating to new technologies, including Big Data analytics, the Internet of Things, wearable/smart technology and artificial intelligence.
  • Advising on a variety of data security issues, including cybersecurity.
  • Helping clients meet UK and EU requirements in relation to e-commerce matters.
  • Assisting with the drafting and negotiation of software development and licence agreements.

Non-professional qualifications. Master in Information Technology Law, University Panthéon-Sorbonne, Paris, France; LLM in Intellectual Property Law, King's College London; Master in Private Law, University Panthéon-Assas, Paris, France

Professional associations/memberships. Certified Information Privacy Professional, Europe (IAPP).

Languages. French, English.


{ "siteName" : "PLC", "objType" : "PLC_Doc_C", "objID" : "1247356064327", "objName" : "Data protection in UK (England and Wales) overview", "userID" : "2", "objUrl" : "http://us.practicallaw.com/cs/Satellite/us/resource/1-502-1544?null", "pageType" : "Resource", "academicUserID" : "", "contentAccessed" : "true", "analyticsPermCookie" : "2-62dceab2:15af8781666:43e5", "analyticsSessionCookie" : "2-62dceab2:15af8781666:43e6", "statisticSensorPath" : "http://analytics.practicallaw.com/sensor/statistic" }