The move means that the regulator will not spend as much time or
resources on cases where organisations have found themselves
mistakenly in breach of the legislation, or where the breach is
very minor.
“This will enable us to concentrate on abuses of significant
public concern, especially where those responsible have been
warned, or must know, that they are breaking the law,” said
newly-appointed Deputy Information Commissioner David Smith,
unveiling the ICO’s Regulatory Action Strategy today.
“Regulatory action will focus on those whose failure to comply
with data protection results in serious consequences, either
serious (perhaps career-threatening) harm to one individual, or
less serious harm to many people,” he said. “Other criteria for
taking action includes deliberate, wilful or cavalier conduct, or
the need to set an example or clarify the law.”
According to Smith, the ICO will use negotiation as its first
option, but will not hesitate to take enforcement action where
necessary.
The powers of regulatory action available to the ICO include
criminal prosecution, civil enforcement and audit.
The ICO has also promised to be open about any Regulatory Action
taken by the watchdog – so long as this does not unduly prejudice
its effectiveness, commercial confidentiality or the privacy of
individuals.
The policy of openness will be carried out through the
publication of statistics on the number of cases pursued, their
nature and the outcome; the issuing of targeted guidance where
action reveals widespread problems and the publication of a regular
bulletin summarising cases that have been considered for Regulatory
Action.
