The move means that the regulator will not spend as much time or resources on cases where organisations have found themselves mistakenly in breach of the legislation, or where the breach is very minor.
“This will enable us to concentrate on abuses of significant public concern, especially where those responsible have been warned, or must know, that they are breaking the law,” said newly-appointed Deputy Information Commissioner David Smith, unveiling the ICO’s Regulatory Action Strategy today.
“Regulatory action will focus on those whose failure to comply with data protection results in serious consequences, either serious (perhaps career-threatening) harm to one individual, or less serious harm to many people,” he said. “Other criteria for taking action includes deliberate, wilful or cavalier conduct, or the need to set an example or clarify the law.”
According to Smith, the ICO will use negotiation as its first option, but will not hesitate to take enforcement action where necessary.
The powers of regulatory action available to the ICO include criminal prosecution, civil enforcement and audit.
The ICO has also promised to be open about any Regulatory Action taken by the watchdog – so long as this does not unduly prejudice its effectiveness, commercial confidentiality or the privacy of individuals.
The policy of openness will be carried out through the publication of statistics on the number of cases pursued, their nature and the outcome; the issuing of targeted guidance where action reveals widespread problems and the publication of a regular bulletin summarising cases that have been considered for Regulatory Action.
