What is the Information Commissioner’s Office (ICO)?
The Information Commissioner’s Office (ICO) describes itself as the “UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.” Headed up by the Information Commissioner, Elizabeth Denham (as at January 2020), the ICO deals with a variety of issues, including:
Data protection complaints – the ICO handles complaints in relation to regulatory concerns about how organisations handle personal data.
Registration – most organisations which handle data are required to register with the ICO and pay an annual fee, as well as provide an up-to-date list of Data Protection Officers (DPO).
Enforcement – the ICO can take action against any data protection breaches, conducting investigations, making decision notices, issuing fines and pursuing matters through the courts if necessary.
Guidance – the ICO provides detailed guides to data protection and information law regulations, as well as creating resources which explain the rights of individuals in relation to their personal data, along with the responsibilities of organisations which control or process personal data.
Registering with the ICO
Any organisation (including limited companies and sole traders) which processes personal data is required to register with the ICO, subject to certain limited exemptions (e.g. elected representatives, such as MPs and councillors in county councils). The ICO provides an online self-assessment tool to help businesses and individuals ascertain whether or not they need to register.
The requirement to register with the Information Commissioner’s Office and pay the relevant fee (see below) is set out by Data Protection (Charges and Information) Regulations 2018 – and failure to do so will result in a fixed penalty. The ICO maintains a public register of organisations and people who have registered, which includes:
Name and address of the registered company/individual (along with any other trading names);
Registration number;
Payment tier;
Date of initial registration and expiry date of current registration period; and
Name and contact details for Data Protection Officer (see below) if applicable.
In December 2019, the ICO launched a new campaign under which they plan to write to all registered companies in the UK, reminding them of their legal responsibility to pay an annual fee if they process personal data. As a consequence, most recently formed companies can expect to be contacted by the ICO.
