Information Commissioner's Office

Information Commissioner
Information Commissioner
	Incumbent; John Edwards ; since 3 January 2022
	Information Commissioner's Office
Type	Corporation sole
Reports to	Parliament of the United Kingdom
Appointer	Queen Elizabeth II ; by letters patent
Term length	up to 7 years; non-renewable
Constituting instrument	Data Protection Act 2018
Precursor	Data Protection Registrar
Formation	1984
First holder	Eric Howe
Salary	£200,000 per year
Website	www.ico.org.uk

Information Commissioner's Office
Established	1984;40 years ago
Type	non-departmental public body
Focus	data protection and freedom of information
Headquarters	Wycliffe House
Location	Wilmslow, Cheshire , United Kingdom ;
Origins	Data Protection Act 1984
Region served	United Kingdom
Information Commissioner	John Edwards
Revenue (2020/2021)	£57,980,542
Expenses (2020/2021)	£57,041,005
Staff	500+
Website	ico.org.uk
Formerly called	Data Protection Registrar

Last updated February 04, 2024

The Information Commissioner's Office (ICO) is a non-departmental public body which reports directly to the Parliament of the United Kingdom and is sponsored by the Department for Science, Innovation and Technology.^[1] It is the independent regulatory office (national data protection authority) dealing with the Data Protection Act 2018 and the General Data Protection Regulation, the Privacy and Electronic Communications (EC Directive) Regulations 2003 across the UK; and the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 in England, Wales and Northern Ireland and, to a limited extent, in Scotland. When they audit an organisation they use Symbiant's audit software.^[2]

Role of the Information Commissioner

The Information Commissioner is an independent official appointed by the Crown. The Commissioner's decisions are subject to appeal to an independent tribunal and the courts. The Commissioner's mission is to "uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals".^[4]

The role of Information Commissioner is currently held by John Edwards, who succeeded Elizabeth Denham on 3 January 2022.^[5]

John Edwards

On 26 August 2021, John Edwards was named as the new Information Commissioner, replacing Elizabeth Denham. The UK government said he would "go beyond the regulator's traditional role" and that the job would now be "balanced" between protecting rights and promoting "innovation and economic growth". It also said that protection for privacy should be done "in as light a touch way as possible", that it would prioritise allowing personal data to be sent internationally to places such as the United States, Korea, Singapore, Dubai and Colombia, among others, that it wanted a data policy that delivered a "Brexit dividend" for businesses (c.f. individuals alone) and that it wanted to get rid of "endless" cookie popups.^[6] Promoting economic growth is not one of the ICO's functions recognised at law and as such this new role creates the potential for conflict with its statutory functions, set out for example in section 115 of the Data Protection Act 2018 and the UK GDPR,^[7] and/or the risk that it may potentially take actions which are ultra vires. Since promoting economic growth has not previously been one of its roles (it was announced on 26 August 2021 that it is something that the job would "now" involve and it is not set out in statute),^[6] then logically, promoting economic growth is to come at the expense of the protection of rights, since that protection has not previously been balanced with it. As of 26 August 2021^[update], the ICO's website states that it is "The UK's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals".^[8]

Elizabeth Denham

Since Elizabeth Denham was appointed Britain's Information Commissioner in 2016, the ICO has undertaken high-profile investigations into Equifax, Yahoo, Talk Talk, Uber, and Facebook; issuing the maximum fine under the Data Protection Act 1998 of £500,000 to Facebook,^[9] for breaches of data protection law. Denham has also overseen the conclusion of the ICO's investigation into charities' fundraising activities and a series of fines for companies behind nuisance marketing.^[10]

Elizabeth Denham welcomed the introduction of the General Data Protection Regulation (GDPR)^[11] that came into effect in May 2018, as well as the Data Protection Act 2018.^[12]

In October 2018 she was elected chair of the International Conference of Data Protection and Privacy Commissioners (ICDPPC), the leading global forum of data protection and privacy authorities, encompassing more than 120 members across all continents that works throughout the year on global data protection policy issues.

Christopher Graham

During his time as Information Commissioner, Christopher Graham was noted for gaining new powers to issue monetary penalties to those who breach the Data Protection Act 1998. He has also welcomed new powers to issue monetary penalties under the Privacy and Electronic Communications Regulations, as well as raising concerns over harm and distress caused by nuisance call to the public.^[13] Christopher Graham succeeded Richard Thomas in 2009.

Richard Thomas

During Richard Thomas' tenure as Commissioner, the ICO was particularly noted for raising serious concerns over the Government's proposed British national identity card and database, as well as other similar databases such as the Citizen Information Project, Universal Child Database, and the NHS National Programme for IT, stating that the country is in danger of sleepwalking into a surveillance society,^[14] drawing attention to the misuse of such information by the former states of the Eastern bloc and Francisco Franco's Spain.

Data Protection Act 2018

The Data Protection Act 2018^[12] received royal assent on 23 May 2018. It updates data protection laws in the UK, supplementing the General Data Protection Regulation (GDPR), implementing the EU law enforcement directive, and extending data protection laws to areas not covered by the GDPR. The new Act aims to modernise data protection laws to ensure they are effective in the years to come.

The data protection charge on UK data controllers to support the Act is under the Data Protection (Charges and Information) Regulations 2018. Exemptions from the charge were left broadly the same as for the previous Act: largely some businesses and non-profits internal core purposes (staff or members, marketing and accounting), household affairs, some public purposes, and non-automated processing.^[15]^[16] The register of fee payers, which excludes those data controllers that are exempt from paying a fee, is publicly available and searchable at the website of the ICO,^[17] which also gives links to the ICO's counterparts around Europe.

Data Protection Act 1998

The United Kingdom as a member of the European Union was, and as a former member still is, subject to a strict regime of data protection. The Data Protection Act 1984 created the post then named Data Protection Registrar with whom people processing personal data had to register the fact of their processing of that data on the register of data controllers. Under the provisions of EC Directive 95/46 (introduced in the UK as the Data Protection Act 1998, rather than as an SI under the European Communities Act 1972), the name of the post was changed to Data Protection Commissioner and later to Information Commissioner.

The General Data Protection Regulation (GDPR) is a new, Europe-wide law that replaces the Data Protection Act 1998 in the UK. The GDPR came into force on 25 May 2018 and sets out requirements for how organisations need to handle personal data. It forms part of the data protection regime in the UK, together with the new Data Protection Act 2018 (DPA 2018). Following the UK's departure from the EU on 31 January 2020, the GDPR continues to be part of British domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018.

Freedom of Information Act 2000 and Environmental Information Regulations 2004

In 2005 the Commissioner's role was expanded to include enforcement of the Freedom of Information Act 2000 and Environmental Information Regulations 2004 and the name of the position was changed from Data Protection Commissioner to Information Commissioner ('IC'). Enforcement of the Freedom of Information (Scotland) Act 2002, which applies to devolved public authorities in Scotland, is the responsibility of the Scottish Information Commissioner, a separate public official, as the British Act does not apply to these authorities.

The ICO issues guidance on Freedom of Information legislation, which is being updated in accordance with its strategic plan 2019/20 - 2021/22, Openness by Design.^[18]

Privacy and Electronic Communications Regulations (EC Directive) 2003 (PECR)

In November 2011 the ICO was given the powers to impose monetary penalties of up to £500,000 for breaches of the Privacy and Electronic Communications Regulations (PECR). PECR applies to organisations that wish to send marketing messages through electronic means i.e. phone, fax, email, text; use cookies or provide electronic communication services to the general public. As with the GDPR, these regulations continue to apply following Brexit.

Nuisance calls

In March 2013, commenting on a fine of £90,000 imposed on Cumbernauld fitted kitchen company DM Design for nuisance marketing calls, the Information Commissioner said that "this fine will not be an isolated penalty. We know other companies are showing a similar disregard for the law and we've every intention of taking further enforcement action against companies that continue to bombard people with unlawful marketing texts and calls." In 2014, the Government changed the law to "lower the legal threshold for consumer harm".^[19] This made it easier for the ICO to "take enforcement action against more organisations breaching the Privacy and Electronic Communications Regulations (PECR)".^[20]

In October 2018 the ICO fined two companies a total of £250,000 that made nearly 1.73 million direct marketing phone calls to people registered with the Telephone Preference Service (TPS).^[21] In December 2018, the Commissioner welcomed the new law that means the ICO can now hold company bosses directly responsible and has the power to fine them personally for breaches of the Privacy and Electronic Communications Regulations (PECR).

Environmental Information Regulations 2004

The Information Commissioner is also responsible for appeals made under the Environmental Information Regulations 2004.

Enforcement

Prior to 2010 the enforcement powers were limited to issuing enforcement notices and to pursuing those alleged to have broken the Data Protection Act 1998 through the courts. In 2010 The Information Commissioner was granted the power to issue fines, known as monetary penalties, by its own authority, granted in April 2010. The first such were served on 24 November 2010.^[22] From 2010, the ICO were also given the powers to serve Assessment Notices, which can be issued to organisations who are unwilling to work alongside the ICO and are at risk of breaking the principles of the Data Protection Act 1998. During the Leveson Inquiry in 2012 it came to light that the ICO had felt unable to challenge the press related to allegations of breaches due to the power of the press and perceived weakness of its own powers.^[23]

From 25 May 2018 the ICO were granted new enforcement powers under the new data protection laws, including the ability to fine organisations €20 million (or equivalent in sterling) or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher, for breaching data protection laws.^[24]

Investigations

Operation Motorman

In 2002, under 'Operation Motorman', the ICO under Richard Thomas raided various newspaper and private investigators' offices, looking for details of personal information kept on unregistered computer databases. The operation uncovered numerous invoices addressed to newspapers and magazines, which detailed prices for providing the journalists with personal information, with 305 journalists being identified as having been the recipients of a wide range of information.^[25]

In 2006, a request under the Freedom of Information Act led to the publication of a report to the British Parliament called "What Price Privacy Now?".^[26] The newspaper with the highest number of requests was the Daily Mail with 952 transactions by 58 journalists; the News of the World came fifth in the table, with 182 transactions from 19 journalists.^[25] The Daily Mail immediately issued a press release, in which it rejected the accusations within the report. Editor Paul Dacre said that Associated Newspapers only used private investigators to confirm public information, such as dates of birth.^[25]

In a July 2011 appearance in front of a parliamentary committee, a day after former News International CEO Rebekah Brooks had been arrested and bailed in light of the News International phone hacking scandal, Dacre told them that he had never "countenanced" phone hacking or blagging at his newspaper, as both acts were clearly "criminal".^[27]

Consulting Association

On 23 February 2009, the Droitwich office of the Consulting Association (TCA) was raided by the ICO, which served an enforcement notice against TCA under the terms of the Data Protection Act. The ICO action followed a 28 June 2008 article about alleged blacklisting in the construction industry, by journalist Phil Chamberlain, published in The Guardian .^[28]

Sony

In 2013, the Information Commissioner's Office fined Sony Computer Entertainment Europe Ltd. £250,000, when many PlayStation systems were hacked and the names, addresses, phone numbers and card details of users were stolen. The ICO found that Sony had excessive information about their users and inadequate security systems in place.^[29]

Facial recognition use by Amazon and Facebook

May 2018 saw the increased scrutiny of both Facebook and Amazon with regards to reports of the use of biometric personal data without the consent of the subjects.^[30]

Cambridge Analytica and Facebook

On 23 March 2018, the ICO searched the London headquarters of Cambridge Analytica amid reports that the firm harvested the personal data of millions of Facebook users as part of a campaign to influence the U.S. 2016 presidential elections.^[31]

In October 2018 the ICO issued a fine of £500,000, the maximum allowable under the laws which applied at the time the incidents occurred, to Facebook, for breaches of data protection law. The ICO's investigation found that between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers (specifically, Aleksandr Kogan and his company GSR as clients of SCL Ltd and Cambridge Analytica) access to their information without sufficiently clear and informed consent, and allowing access even if users had not downloaded the app, but were simply 'friends' with people who had.^[9]

Uber

In November 2018 the ICO fined Uber £385,000 for failing to protect customers' personal information during a cyber-attack. A series of avoidable data security flaws allowed the personal details of around 2.7 million British customers to be accessed and downloaded by attackers from a cloud-based storage system operated by Uber's US parent company.^[32]

Equifax

In September 2018, the ICO issued Equifax Ltd with a £500,000 fine for failing to protect the personal information of up to 15 million British citizens during a cyber-attack in 2017. The incident, which happened between 13 May and 30 July 2017 in the US, affected 146 million customers globally.^[33]

TikTok

In February 2019, the ICO launched an investigation of the video-sharing platform and mobile application TikTok, following the fine its parent company ByteDance received from the United States' Federal Trade Commission, for collecting information from minors under the age of 13 in violation of the country's Children's Online Privacy Protection Act. Speaking to a parliamentary committee, Information Commissioner Elizabeth Denham said that the investigation focuses on the same issue of private data collection, as well as the kind of videos collected and shared by children online, as well as the platform's open messaging system which allows any adult to message any child. She noted that the company was potentially violating provisions in the GDPR which "requires the company to provide different services and different protections for children".^[34]

Interserve

In October 2022, Interserve was fined £4.4 million for a breach of data protection law in May 2020 which enabled hackers to access data on up to 113,000 Interserve employees. While a phishing email had been detected, the ICO said Interserve "failed to thoroughly investigate the suspicious activity". As a result, the attacker compromised 283 systems and 16 accounts, uninstalled the company's anti-virus solution, and encrypted the personal data of current and former employees. Interserve disputed that its staff and its response had been complacent. It said it had also sought to reduce risks in systems supporting ongoing operations at Tilbury Douglas and in Mitie Group.^[35] The fine was the fourth-largest ever demanded by the ICO.^[36]

List of Information Commissioners

John Edwards (appointed 21 December 2021, took office 3 January 2022)^[37]
Elizabeth Denham (appointed 15 July 2016)^[38]
Christopher Graham (appointed 29 June 2009)^[39]
Richard Thomas (appointed 2 December 2002)
Elizabeth France (appointed 1 September 1994)^[40]
Eric Howe (appointed September 1984)

Similar roles in Europe

The role of the IC is mirrored throughout the countries of the European Union and European Economic Area who have equivalent officials created under their versions of Directive 95/46.

Related Research Articles

The Office of the Data Protection Commissioner (DPC), also known as Data Protection Commission, is the independent national authority responsible for upholding the EU fundamental right of individuals to data privacy through the enforcement and monitoring of compliance with data protection legislation in Ireland. It was established in 1989.

Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, contextual information norms, and the legal and political issues surrounding them. It is also known as data privacy or data protection.

The Data Protection Act 1998 (DPA) was an Act of Parliament of the United Kingdom designed to protect personal data stored on computers or in an organised paper filing system. It enacted provisions from the European Union (EU) Data Protection Directive 1995 on the protection, processing, and movement of data.

Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person.

Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.

The Telephone Preference Service (TPS) is the United Kingdom's official do not call list. It allows businesses and individuals to opt out of unsolicited marketing calls.

Privacy law is the body of law that deals with the regulating, storing, and using of personally identifiable information, personal healthcare information, and financial information of individuals, which can be collected by governments, public or private organisations, or other individuals. It also applies in the commercial sector to things like trade secrets and the liability that directors, officers, and employees have when handling sensitive information.

The Privacy and Electronic Communications Regulations 2003 is a law in the United Kingdom which made it unlawful to, amongst other things, transmit an automated recorded message for direct marketing purposes via a telephone, without prior consent of the subscriber. The law implements an EU directive, the Privacy and Electronic Communications Directive 2002.

Security breach notification laws or data breach notification laws are laws that require individuals or entities affected by a data breach, unauthorized access to data, to notify their customers and other parties about the breach, as well as take specific steps to remedy the situation based on state legislature. Data breach notification laws have two main goals. The first goal is to allow individuals a chance to mitigate risks against data breaches. The second goal is to promote company incentive to strengthen data security.Together, these goals work to minimize consumer harm from data breaches, including impersonation, fraud, and identity theft.

The Register of data controllers was a United Kingdom database under the control of the UK Information Commissioner's Office mandated by section 19 of the Data Protection Act 1998.

Privacy by design is an approach to systems engineering initially developed by Ann Cavoukian and formalized in a joint report on privacy-enhancing technologies by a joint team of the Information and Privacy Commissioner of Ontario (Canada), the Dutch Data Protection Authority, and the Netherlands Organisation for Applied Scientific Research in 1995. The privacy by design framework was published in 2009 and adopted by the International Assembly of Privacy Commissioners and Data Protection Authorities in 2010. Privacy by design calls for privacy to be taken into account throughout the whole engineering process. The concept is an example of value sensitive design, i.e., taking human values into account in a well-defined manner throughout the process.

The General Data Protection Regulation is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also governs the transfer of personal data outside the EU and EEA. The GDPR's goals are to enhance individuals' control and rights over their personal information and to simplify the regulations for international business. It supersedes the Data Protection Directive 95/46/EC and, among other things, simplifies the terminology.

Elizabeth Denham CBE, LL. D. (hon.) was the UK Information Commissioner at the Information Commissioner's Office in Cheshire from July 2016, taking over the role from Christopher Graham, until November 2021. Denham previously held the title of Information and Privacy Commissioner for British Columbia, having been appointed to that role in May 2010. Prior to this she had been the Assistant Privacy Commissioner of Canada from 2007.

The National Pupil Database (NPD) is a database controlled by the Department for Education in England, based on multiple data collections from individuals age 2-21 in state funded education and higher education. Data are matched using pupil names, dates of birth and other personal and school characteristics, including special educational needs, disability, and indicators for free school meals, a child in care, and families in the armed forces. Personal details are linked to pupils' attainment and exam results over a lifetime school attendance.

A data protection officer (DPO) ensures, in an independent manner, that an organization applies the laws protecting individuals' personal data. The designation, position and tasks of a DPO within an organization are described in Articles 37, 38 and 39 of the European Union (EU) General Data Protection Regulation (GDPR). Many other countries require the appointment of a DPO, and it is becoming more prevalent in privacy legislation.

The Data Protection Act 2018 is a United Kingdom Act of Parliament which updates data protection laws in the UK. It is a national law which complements the European Union's General Data Protection Regulation (GDPR) and replaces the Data Protection Act 1998.

Several allegations of unlawful campaigning in the 2016 EU referendum have been made. Some allegations were dismissed by the investigating bodies, but in other cases wrongdoing was established, leading to the imposition of penalties. Sanctions have included the levying of the maximum fine possible on Facebook for breaches of data privacy.

The General Personal Data Protection Law, is a statutory law on data protection and privacy in the Federative Republic of Brazil. The law's primary aim is to unify 40 different Brazilian laws that regulate the processing of personal data. The LGPD contains provisions and requirements related to the processing of personal data of individuals, where the data is of individuals located in Brazil, where the data is collected or processed in Brazil, or where the data is used to offer goods or services to individuals in Brazil.

Michael Veale is a technology policy academic who focuses on information technology and the law. He is currently associate professor in the Faculty of Laws at University College London (UCL).

The Age appropriate design code, also known as the Children's Code, is a British internet safety and privacy code of practice created by the Information Commissioner's Office (ICO). The draft Code was published in April 2019, as instructed by the Data Protection Act 2018 (DPA). The final regulations were published on 27 January 2020 and took effect 2 September 2020, with a one-year grace period before the beginning of enforcement. The Children's Code is written to be consistent with GDPR and the DPA, meaning that compliance with the Code is enforceable under the latter.

References

↑ "Relationship with the Department for Science, Innovation and Technology". ico.org.uk. 11 April 2023. Retrieved 23 June 2023.
↑ "When we audit an organisation". ico.org.uk. 1 August 2023. Retrieved 2 November 2023.
↑ "Data Protection and Digital Information Bill - Parliamentary Bills". UK Parliament.
↑ "Information Commissioner's Office". Information Commissioner's Office. Retrieved 7 January 2010. The Information Commissioner's Office is the UK's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals
↑ "Information Commissioner". 28 January 2022.
1 2 "Data protection 'shake-up' takes aim at cookie pop-ups". BBC News. 26 August 2021. Retrieved 26 August 2021.
↑ "General functions [of the Information Commissioner] under the GDPR and safeguards" . Retrieved 26 August 2021.
↑ "Information Commissioner's Office". Information Commissioner's Office. Retrieved 26 August 2021. [The Information Commissioner's Office is] the UK's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals
1 2 "ICO issues maximum £500,000 fine to Facebook for failing to protect users' personal information" (Press release). Information Commissioner's Office. 25 October 2018. Retrieved 22 August 2020.
↑ "Nuisance calls and messages". Information Commissioner's Office. Retrieved 22 August 2020.
↑ "Guide to the General Data Protection Regulation (GDPR)". Information Commissioner's Office. Retrieved 22 August 2020.
1 2 "Data Protection Act 2018". Information Commissioner's Office. Archived from the original on 7 August 2018. Retrieved 22 August 2020.
↑ "Targeting the worst offenders and cutting nuisance calls". 3 April 2014. Archived from the original on 19 June 2017. Retrieved 24 March 2018.
↑ Patrick Foster, "Big Brother surveillance means no one is safe, experts warn", The Times , 27 March 2007, accessed 16 September 2007
↑ Review of exemptions from paying charges to the Information Commissioner's Office (PDF) (Report). Department for Digital, Culture, Media and Sport. November 2018. Retrieved 30 April 2020.
↑ "The Data Protection (Charges and Information) Regulations 2018 – Schedule Exempt Processing". legislation.gov.uk. Retrieved 30 April 2020.
↑ "Register of fee payers". Information Commissioner's Office. Retrieved 22 August 2020.
↑ ICO, "About the Guide to freedom of information", accessed 26 December 2021.
↑ "Nuisance Calls Action Plan" (PDF). Department of Culture, Media and Sport. Retrieved 8 April 2016. lower the legal threshold for consumer harm
↑ "Nuisance Calls Action Plan" (PDF). Department of Culture, Media and Sport. Retrieved 8 April 2016. take enforcement action against more organisations breaching the Privacy and Electronic Communications (EC Directive) Regulations 2003
↑ "ICO fines two firms for over one million nuisance calls made to TPS subscribers" (Press release). 26 November 2018. Retrieved 22 August 2020.
↑ "BBC News – First Data Protection Act fines issued by commissioner". BBC Online . BBC. 24 November 2010. Retrieved 24 November 2010. The commissioner said the fines – the first he has issued – would "send a strong message" to those handling data.
↑ "The Frontline". 1 December 2011. Archived from the original on 28 April 2016.
↑ "Penalties". Information Commissioner's Office. Retrieved 22 August 2020.
1 2 3 "Info Chief's broadside at Press over data crimes". Press Gazette. 15 December 2006. Archived from the original on 11 January 2012. Retrieved 18 July 2011.
↑ "What Price Privacy Now?". Information Commissioners Office. 15 December 2006. Archived from the original on 20 February 2014. Retrieved 18 July 2011.
↑ "Daily Mail editor Paul Dacre 'never approved hacking'". BBC News. 18 July 2011. Retrieved 18 July 2011.
↑ Chamberlain, Phil (28 June 2008). "Enemy at the gates". The Guardian. Retrieved 7 September 2015.
↑ "Sony fined over PlayStation hack". BBC News. 24 March 2018. Retrieved 24 March 2018.
↑ Frenkel, Sheera (8 May 2018). "Facebook to Reorganize After Scrutiny Over Data Privacy (Published 2018)". The New York Times. ISSN 0362-4331 . Retrieved 6 December 2020.
↑ Gonzales, Richard (23 March 2018). "U.K. Investigators Raid Cambridge Analytica Offices In London". NPR.
↑ "ICO fines Uber £385,000 over data protection failings" (Press release). Information Commissioner's Office. 27 November 2018.
↑ "Credit reference agency Equifax fined for security breach" (Press release). Information Commissioner's Office. 20 September 2018. Retrieved 22 August 2020.
↑ Hern, Alex (2 July 2019). "TikTok under investigation over child data use". The Guardian . ISSN 0261-3077 . Retrieved 13 July 2020.
↑ Prior, Grant (24 October 2022). "Interserve hit with £4.4m fine after cyber attack". Construction Enquirer. Retrieved 24 October 2022.
↑ Allen, Tom (24 October 2022). "ICO serves Interserve £4.4m fine after cyberattack". Computing. Retrieved 24 October 2022.
↑ "John Edwards is confirmed as the new Information Commissioner" (Press release). London: Department for Digital, Culture, Media and Sport. 21 December 2021. Retrieved 21 December 2021.
↑ "UK's new Information Commissioner formally appointed". 15 July 2016. Archived from the original on 18 September 2016. Retrieved 25 July 2016. Her Majesty The Queen has approved the appointment of Elizabeth Denham as the UK's Information Commissioner.
↑ McNally, Paul (13 January 2009). "Christopher Graham is new Information Commissioner". Press Gazette.
↑ Lashmar, Paul (27 November 2000). "Elizabeth France: This woman's watching you, Big Brother". The Independent. Retrieved 9 August 2011.

External links

Official website

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Relationship with the Department for Science, Innovation and Technology". ico.org.uk. 11 April 2023. Retrieved 23 June 2023.

[2] "When we audit an organisation". ico.org.uk. 1 August 2023. Retrieved 2 November 2023.

[3] "Data Protection and Digital Information Bill - Parliamentary Bills". UK Parliament.

[4] "Information Commissioner's Office". Information Commissioner's Office. Retrieved 7 January 2010. The Information Commissioner's Office is the UK's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals

[5] "Information Commissioner". 28 January 2022.

[newcommissioner26aug2021-6] 1 2 "Data protection 'shake-up' takes aim at cookie pop-ups". BBC News. 26 August 2021. Retrieved 26 August 2021.

[7] "General functions [of the Information Commissioner] under the GDPR and safeguards" . Retrieved 26 August 2021.

[8] "Information Commissioner's Office". Information Commissioner's Office. Retrieved 26 August 2021. [The Information Commissioner's Office is] the UK's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals

[ico_facebook_fine-9] 1 2 "ICO issues maximum £500,000 fine to Facebook for failing to protect users' personal information" (Press release). Information Commissioner's Office. 25 October 2018. Retrieved 22 August 2020.

[10] "Nuisance calls and messages". Information Commissioner's Office. Retrieved 22 August 2020.

[ico_gdpr-11] "Guide to the General Data Protection Regulation (GDPR)". Information Commissioner's Office. Retrieved 22 August 2020.

[ico_dpa-12] 1 2 "Data Protection Act 2018". Information Commissioner's Office. Archived from the original on 7 August 2018. Retrieved 22 August 2020.

[13] "Targeting the worst offenders and cutting nuisance calls". 3 April 2014. Archived from the original on 19 June 2017. Retrieved 24 March 2018.

[14] Patrick Foster, "Big Brother surveillance means no one is safe, experts warn", The Times , 27 March 2007, accessed 16 September 2007

[dcms-201811-15] Review of exemptions from paying charges to the Information Commissioner's Office (PDF) (Report). Department for Digital, Culture, Media and Sport. November 2018. Retrieved 30 April 2020.

[16] "The Data Protection (Charges and Information) Regulations 2018 – Schedule Exempt Processing". legislation.gov.uk. Retrieved 30 April 2020.

[17] "Register of fee payers". Information Commissioner's Office. Retrieved 22 August 2020.

[18] ICO, "About the Guide to freedom of information", accessed 26 December 2021.

[19] "Nuisance Calls Action Plan" (PDF). Department of Culture, Media and Sport. Retrieved 8 April 2016. lower the legal threshold for consumer harm

[20] "Nuisance Calls Action Plan" (PDF). Department of Culture, Media and Sport. Retrieved 8 April 2016. take enforcement action against more organisations breaching the Privacy and Electronic Communications (EC Directive) Regulations 2003

[21] "ICO fines two firms for over one million nuisance calls made to TPS subscribers" (Press release). 26 November 2018. Retrieved 22 August 2020.

[22] "BBC News – First Data Protection Act fines issued by commissioner". BBC Online . BBC. 24 November 2010. Retrieved 24 November 2010. The commissioner said the fines – the first he has issued – would "send a strong message" to those handling data.

[23] "The Frontline". 1 December 2011. Archived from the original on 28 April 2016.

[ico_penalties-24] "Penalties". Information Commissioner's Office. Retrieved 22 August 2020.

[PG36439-25] 1 2 3 "Info Chief's broadside at Press over data crimes". Press Gazette. 15 December 2006. Archived from the original on 11 January 2012. Retrieved 18 July 2011.

[26] "What Price Privacy Now?". Information Commissioners Office. 15 December 2006. Archived from the original on 20 February 2014. Retrieved 18 July 2011.

[27] "Daily Mail editor Paul Dacre 'never approved hacking'". BBC News. 18 July 2011. Retrieved 18 July 2011.

[Enemy-28] Chamberlain, Phil (28 June 2008). "Enemy at the gates". The Guardian. Retrieved 7 September 2015.

[29] "Sony fined over PlayStation hack". BBC News. 24 March 2018. Retrieved 24 March 2018.

[30] Frenkel, Sheera (8 May 2018). "Facebook to Reorganize After Scrutiny Over Data Privacy (Published 2018)". The New York Times. ISSN 0362-4331 . Retrieved 6 December 2020.

[31] Gonzales, Richard (23 March 2018). "U.K. Investigators Raid Cambridge Analytica Offices In London". NPR.

[32] "ICO fines Uber £385,000 over data protection failings" (Press release). Information Commissioner's Office. 27 November 2018.

[33] "Credit reference agency Equifax fined for security breach" (Press release). Information Commissioner's Office. 20 September 2018. Retrieved 22 August 2020.

[34] Hern, Alex (2 July 2019). "TikTok under investigation over child data use". The Guardian . ISSN 0261-3077 . Retrieved 13 July 2020.

[Prior-24Oct2022-35] Prior, Grant (24 October 2022). "Interserve hit with £4.4m fine after cyber attack". Construction Enquirer. Retrieved 24 October 2022.

[Allen-24Oct2022-36] Allen, Tom (24 October 2022). "ICO serves Interserve £4.4m fine after cyberattack". Computing. Retrieved 24 October 2022.

[37] "John Edwards is confirmed as the new Information Commissioner" (Press release). London: Department for Digital, Culture, Media and Sport. 21 December 2021. Retrieved 21 December 2021.

[38] "UK's new Information Commissioner formally appointed". 15 July 2016. Archived from the original on 18 September 2016. Retrieved 25 July 2016. Her Majesty The Queen has approved the appointment of Elizabeth Denham as the UK's Information Commissioner.

[39] McNally, Paul (13 January 2009). "Christopher Graham is new Information Commissioner". Press Gazette.

[40] Lashmar, Paul (27 November 2000). "Elizabeth France: This woman's watching you, Big Brother". The Independent. Retrieved 9 August 2011.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

[22]

[23]

[24]

[25]

[26]

[27]

[28]

[29]

[30]

[31]

[32]

[33]

[34]

[35]

[36]

[37]

[38]

[39]

[40]

v t e Privacy
Principles	Right of access to personal data Expectation of privacy Right to privacy Right to be forgotten Post-mortem privacy
Privacy laws	Australia Brazil Canada China Denmark England European Union Germany Ghana New Zealand Russia Singapore Switzerland United Kingdom United States California, amended in 2020
Data protection authorities	Australia Denmark European Union France Germany India Indonesia Ireland Isle of Man Netherlands Norway Philippines Poland South Korea Spain Sweden Switzerland Thailand Turkey United Kingdom
Areas	Consumer Digital Education Medical Workplace
Information privacy	Law Financial Internet Facebook Google Twitter Email Personal data Personal identifier Social networking services Privacy-enhancing technologies Privacy engineering Privacy-invasive software Privacy policy Secret ballot Virtual assistant privacy
Advocacy organizations	American Civil Liberties Union Center for Democracy and Technology Computer Professionals for Social Responsibility Data Privacy Lab Electronic Frontier Foundation Electronic Privacy Information Center European Digital Rights Future of Privacy Forum Global Network Initiative International Association of Privacy Professionals NOYB Privacy International
See also	Anonymity Cellphone surveillance Data security Eavesdropping Global surveillance Identity theft Mass surveillance Panopticon PRISM Search warrant Wiretapping Human rights Personality rights
Category


Established	1984;40 years ago (1984)
Type	non-departmental public body
Focus	data protection and freedom of information
Headquarters	Wycliffe House
Location	Wilmslow, Cheshire , United Kingdom
Origins	Data Protection Act 1984
Region served	United Kingdom
Information Commissioner	John Edwards
Revenue (2020/2021)	£57,980,542
Expenses (2020/2021)	£57,041,005
Staff	500+
Website	ico.org.uk
Formerly called	Data Protection Registrar

Information Commissioner
Incumbent John Edwards since 3 January 2022
Information Commissioner's Office
Type	Corporation sole
Reports to	Parliament of the United Kingdom
Appointer	Queen Elizabeth II by letters patent
Term length	up to 7 years non-renewable
Constituting instrument	Data Protection Act 2018
Precursor	Data Protection Registrar
Formation	1984 (1984)
First holder	Eric Howe
Salary	£200,000 per year
Website	www.ico.org.uk