Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

UK: The ICO's enforcement powers and dawn raids

The Information Commissioner's Office (ICO) is the designated authority in the UK to ensure compliance with data protection laws and uphold information rights in the public interest. The ICO has the power under Part 6 of the Data Protection Act 2018 (the Act) to investigate and enforce data processing activities. In this Insight article, Kelly Hagedorn, Hanna Hewitt, and Lucy Mann, from Orrick, Herrington & Sutcliffe LLP, explore the ICO's power under Part 6 of the Act to issue notices, as well as the ICO's ability to carry out dawn raids and some of the key considerations in relation to these.  

PeopleImages / Signature collection / istockphoto.com

Types of ICO notice 

The most common action the ICO can take is to issue a notice to a data controller or data processor. Under Part 6 of the Act, the ICO can issue an: (1) Information Notice, (2) Assessment Notice, (3) Enforcement Notice, and (4) Penalty Notice, each of which is taken in turn below. 

In March 2022, the ICO closed its consultation on regulatory action, which included a statutory guidance document titled 'Statutory Guidance on our Regulatory Action.' Whilst still only in draft form, this guidance provides insight into the ways in which the ICO aims to carry out its role of ensuring compliance with data protection laws and upholding information rights in the public interest.  

Information Notice (Section 142 of the Act) 



What is the notice? 
An Information Notice requires a data controller, processor, or individual to provide the ICO with requested information (within a specified time frame) to assist the ICO with its investigation/s.
What must the notice contain?

An Information Notice must include: 

  • reference to the relevant Section of 142 of the Act which the ICO is relying upon to issue the Information Notice;  
  • information as to why the ICO requires the information contained therein; 
  • information about the consequences of non-compliance; and 
  • information about the recipient's rights under the Act, including the right to appeal and the right to apply to court to amend the period in which the information must be provided.  

An Information Notice may also specify: 

  • particular information or categories of information to be provided; 
  • the form in which the information must be provided; 
  • the period in which the information must be provided; and 
  • the place where the information must be provided.  
What are the penalties for non-compliance?The ICO may apply for a court order requiring a response. Additionally, the ICO may consider issuing a Penalty Notice (as further discussed below). It may also, in some cases, be a criminal offense to provide a response to an Information Notice that is false.  

 

Assessment Notice (Section 146 of the Act) 

What is the notice? An Assessment Notice requires a data controller or data processor to assist the ICO with determining whether they are compliant with data protection legislation. 
What must the notice contain? 

An Assessment Notice must include: 

  • the period in which the information must be provided; 
  • information about the consequences of non-compliance; and 
  • information about the recipient's rights under the Act, including the right to appeal and the right to apply to court to amend the period in which the information must be provided.  

An Assessment Notice may also specify that the data controller or data processor do any of the following: 

  • permit the ICO to enter certain premises and/or access documents, information, equipment, or materials of a specified description; 
  • provide the ICO with a copy of documents, information, equipment, or materials of a specific description; 
  • direct the ICO to documents, information, equipment, or materials on premises which are of a specified description, allowing them to inspect these as required; 
  • provide the ICO with explanations of documents, information, equipment, or materials of a specified description; 
  • permit the ICO to observe the processing of personal data that takes place on premises; and 
  • make available for interview a group of people who would be willing to be interviewed by the ICO.   
What are the penalties for non-compliance? 

The ICO may apply for a court order requiring a response. Additionally, where the ICO has requested access to premises, specified documentation, and/or equipment, the ICO may apply for a warrant to do so.  

The ICO may consider issuing a Penalty Notice (as further discussed below). It may also, in some cases, be a criminal offense to provide a response to an Assessment Notice that is false and/or to destroy or otherwise dispose of, conceal, or block all or part of documents, information, equipment, or materials.

Other things that should be considered 

In its draft statutory guidance, the ICO has included a non-exhaustive list of documentation that it could require a data controller or data processor to disclose, which includes strategies, policies, procedures, guidance, codes of practice, training materials, protocols, frameworks, memoranda of understanding, contracts, privacy statements, privacy impact assessments, data protection impact assessments, control data, breach logs, and job descriptions.  

In addition, the ICO may also request access to the following: 

  • specified personal data or classes of personal data; 
  • information that is subject to legal privilege, where this information does not relate to data protection laws; 
  • information that has a high level of commercial sensitivity; 
  • information that is 'exempt information' as defined under Section 23 of the Freedom of Information Act 2000 (information that is supplied to a public authority by, or relates to the Security Service, the Secret Intelligence Service, and other similar bodies); and 
  • information that is exempt from the Act by virtue of a national security certificate. 

 

Enforcement Notice (Section 149 of the Act) 

What is the notice? 

An Enforcement Notice is issued to a data controller or data processor where they have breached one or more of the data protection principles. The aim of an Enforcement Notice is to order a data controller or data processor to comply with data protection legislation and/or remedy the breach. Enforcement Notices may be issued where there: 

  • is a repeated failure to meet information rights obligations or their associated timescales (e.g., data subject access requests); 
  • are serious ongoing infringements to the rights and freedoms of individuals; 
  • is the processing or transfer of information to a third country, which fails to meet the requirements of the data protection legislation; or 
  • is the need for corrective action by a certification/monitoring body to ensure that the data controller or data processor meets their obligations.  
What must the notice contain? 

An Enforcement Notice must include: 

  • information about what the data controller or data processor has failed or is failing to do, as well as the ICO's reasons for reaching this view; 
  • information about the consequences of non-compliance; and 
  • information about the recipient's rights under the Act, including the right to appeal and the right to apply to court to amend the period in which the information must be provided.  

An Enforcement Notice may also specify the period within which the Enforcement Notice must be complied with.  

What are the penalties for non-compliance? The ICO may consider issuing a Penalty Notice (as discussed further).  

 

Penalty Notice (Section 155 of the Act) 

What is the notice? 

A Penalty Notice is the document that the ICO will issue when it intends to fine an organization for a breach or breaches of data protection legislation.  

The ICO has stated that a Penalty Notice will be reserved for the most serious breaches of data protection law including, but not limited to, those where: many individuals have been affected, there has been damage, special category data has been involved, there has been a failure to comply with an Information Notice, Assessment Notice, or Enforcement Notice, or there have been repeated breaches of data protection regulation. 

What must the notice contain? 

Before a Penalty Notice is issued, the ICO will issue a Notice of Intent which will notify the recipient that the ICO intends to serve a data controller or data processor with a Penalty Notice. The Notice of Intent will set out: 

  • the circumstances of the breach; 
  • the ICO's investigative findings; 
  • the proposed penalty; and 
  • the reason for proposing the penalty. 

A data controller or data processor will then have 21 calendar days to make representations if they disagree with the penalty proposed. 

The ICO will then consider the representations and issue a Penalty Notice if so minded.   

Other things that should be considered 

The maximum amount of the penalty may be:  

  • in the case of an undertaking, £17.5 million or 4% of the undertaking's total annual worldwide turnover in the preceding financial year, whichever is higher; or  
  • in any other case, £17.5 million.  

However, the ICO has adopted a nine-step mechanism to determine the penalty that may be imposed: 

  1. Assessment of seriousness taking into consideration the factors set out in Section 155 of the Act. 
  2. Assessment of the degree of culpability of the organization concerned. 
  3. Determination of turnover. 
  4. Calculation of an appropriate starting point. 
  5. Consideration of relevant aggravating and mitigating features. 
  6. Consideration of financial means. 
  7. Assessment of economic impact. 
  8. Assessment of effectiveness, proportionality, and dissuasiveness. 
  9. Early payment reduction. 

      Managing ICO notices 

      If you receive a notice from the ICO, what should you do? The notice should be passed to the relevant individual/s within your organization responsible for data protection and/or ensuring that external legal counsel is engaged as needed to assist with responding. It may be helpful to set reminders for the deadline to respond and at this stage, ask for an extension of time if you believe this is needed. 

      You should also review the ICO notice and consider whether to provide comments to the ICO before responding in full. For example, you may wish to highlight where you may not be able to provide certain information and/or clarify certain points that the ICO has raised. This may assist in ensuring that when you respond, you provide the most helpful response to the ICO and demonstrate that you have assisted the ICO to the greatest degree possible.  

      Regarding Assessment Notices and the ICO requesting access to premises, please see our guidance below in relation to dawn raids and the ICO's powers of entry and inspection.   

      Dawn raids - the ICO's powers of entry and inspection 

      Pursuant to Schedule 15 of the Act, the ICO may obtain a warrant from the court to exercise the power of forcible entry, search, inspection, and seizure, if the ICO has reasonable grounds for suspecting that a crime has been committed under the Act or a data controller or data processor is failing to comply with the data protection legislation. The ICO does not publish a list of dawn raids it has carried out, however the ICO has been known on occasion to use these powers, most notably in relation to Cambridge Analytica in 2018.  

      A court will only issue a search warrant if:  

      • one of the following conditions apply: 
        • at least seven days have elapsed since the ICO gave notice in writing demanding access to the premises;  
        • either the ICO demanded access at a reasonable hour, but that access was refused, or access was granted but the occupier unreasonably refused to comply with the request;  
        • the occupier of the premises was notified by the ICO that an application for warrant had been made and the occupier had the opportunity to be heard by a judge on the issues; and  
        • if personal data involved involves special purposes, a determination under Section 174 of the Act must have taken effect; 
      • compliance with those conditions would defeat the object of entry to the premises; or  
      • the ICO requires access to the premises urgently. Upon issuing a warrant, the judge must be satisfied that there are reasonable grounds to suspect that evidence of the offense or failure to comply could be found on the premises.  

      If a search warrant is issued, the ICO may have the authority to:  

      • enter premises to view certain documents or observe the processing which takes place on the premises;  
      • inspect personal data where international obligations make inspection necessary; 
      • ensure controllers are processing personal data in accordance with the data protection framework;  
      • inspect, examine, operate, and test any equipment found on the premises that is used for or intended to be used for the processing of personal data;  
      • inspect and seize any documents or other material found on the premises that may enable the ICO to determine whether a controller or processor is complying with data protection legislation;  
      • require any person on the premises to provide an explanation of any document or other material, including any information as may reasonably be required for the investigation; and/or  
      • in executing the warrant, use such reasonable force as may be necessary.  

      There is a statutory presumption that the powers of entry granted to the ICO under a warrant must be exercised at a 'reasonable hour' within seven days of the warrant being issued, unless the ICO has reasonable grounds to believe that undertaking an inspection at such reasonable hour would defeat the object of the inspection.  

      During the inspection of documents and materials on the premises, investigators cannot require the production of legally privileged material. This includes all confidential communications between lawyer and client made for the purposes of giving legal advice with respect to data protection legislation, or for the dominant purpose of proceedings under or arising out of data protection legislation (litigation privilege). It is important to note that the legally privileged exemption does not cover all material that would ordinarily be protected by legal professional privilege - the exemption only covers documentation relating to advice given or proceedings under or arising from data protection legislation. 

      Managing dawn raids  

      Considering that criminal liability attaches to failures to cooperate with ICO investigations, it is essential to have a procedure in place in order to deal with a dawn raid in a measured and sensible way. By way of preparation, an organization should have a written plan to deal with dawn raids and identify a dawn raid response team. This team should comprise of a leader who is either the data protection officer or a member of senior management. All key employees should have received appropriate data protection training, including what they need to do in the event of a dawn raid. The details of the response team, including telephone numbers and emails, should be readily available, particularly to reception or other front of house staff, as these individuals will need to be contacted immediately in case of an investigation.  

      In addition, the following practical steps should be taken during the raid:  

      1. Shadowing. The investigators will have the power to search and inspect all materials and property within the premises. A person familiar with the dawn raid procedure and the mandate of the investigation, preferably a member of the external or internal legal team, should shadow the investigators. Given that investigating teams can be large in number, it is important to ensure there are sufficient resources to shadow the investigators adequately. These resources should also conduct an immediate debrief with both internal and external legal counsel after the raid to understand which materials or property were requested, reviewed, copied, or seized and whether any disputes arose about materials or property (for example regarding privileged materials).  
      2. IT support. During the investigation, the investigators will expect certain persons to be available to explain the organizational structure of the company and any IT systems that are used. The investigators will rely heavily on searches of emails and other electronic documents and therefore may require access to and support from an IT member to assist with specific IT tasks and for the provision of administrator access rights.  
      3. Record. It is important to keep note of any records (both electronic and hard copies) which have been taken by the investigators. Within this, it is important to ensure that an additional copy has been made for the company's own records. 
      4. Employee interviews. The investigators will want to ask employees questions, which may include oral explanations relating to documents. It is common for external or in-house counsel to be present during the questioning, or for an arrangement to be in place for independent representation in the event of a conflict of interest. It is important that any records detailing the discussions are kept, including the questions asked and responses given. The questions and responses should also feed into the debrief that takes place after the raid.  
      5. Privilege. Any materials accessed or seized by the ICO that are or may be privileged should be logged and objections raised with the ICO investigators at the time.  

       

      Kelly Hagedorn Partner 
      [email protected]  
      Hanna Hewitt Associate 
      [email protected]  
      Lucy Mann Trainee Solicitor 
      [email protected]  
      Orrick, Herrington & Sutcliffe LLP, London