ICO

• - enforce compliance
• - requests for assessment
• - develop codes of practice
• - maintain register of Data Controllers

• - annual report to Parliament
• - authority for Council of Europe Convention 108
• - liaise with other DP Commissioners
• - contact for EU commission on Directive 95/46/EC

• - one notification per organisation
• - completed annually
• - Section 21 makes failure to notify an offense
• - since 1st Oct 2009 - two tiers
• - 1st Tier = £35
• - 2nd Tier = £500 (250+ FTE staff, £26m+ turnover)
• - can be done by Direct Debit
• - schools: one notification in the name of the school (England: done by school/Scotland: done by council)

• - name and address
• - description of data and categories of data subject to which they relate
• - description of the purpose(s)
• - description of any recipient to whom the data controller intends to disclose
• - places outside the EEA to which data will or may be transferred
• - security statement (not disclosed to the public)
• - declaration if public body and subject to FOI/FOISA

• - personal and domestic use
• - maintenance of public register
• - not for profit organisations
• - admin, advertising, accounts
• - manual records unless subject to assessable processing (transitional exemption)

• - failure to notify or to notify changes
• - failure to comply with a written request
• - failure to comply with a Notice
• - unauthorised obtaining/disclosure
• - procuring a disclosure to another person
• - unlawful selling of data
• - enforced Subject Access (only allowed in certain sectors e.g. children and vulnerable adults

You can breach a principle but this is not necessarily a criminal offence

• - Information Notice (s43) (specifies information required by ICO) notification of complaint received 14/21 day deadlines usually
• - Enforcement Notice (s40) (specifies steps required to comply with Act post investigation if commissioner has found fault and details changes required
• - Appeal to Information Tribunal in 35 days
• - Special Notices (relating to special purposes e.g. journalism, art

• - Information Tribunal in London (usually)
• - High Court
• - Supreme Court
• - a public process

• Circuit judge/sherriff issues warrant if satisfied
• - Data Controller has contravened principles
• - offence is being committed
• - evidence will be found on premises subject to warrant
• Warrant not granted if
• - ICO has not provided controller with 7 days notice demanding access and access was unreasonably refused or access to evidence was blocked
• - ICO has not notified subject about the warrant
• Warrant can allow
• - entry to premises
• - search of premises
• - inspection, examination, operation and test of any equipment
• - inspection and seizure of documents and materials that may be evidence of breach

Notice not required if believed that data will be destroyed (but still require a warrant)

Schedule 9 - powers of entry and inspection

• - person seving warrant can use necessary and reasonable force
• - warrant must be served at reasonable hour
• - copy of warrant must be given to occupier
• - receipt given for seized documents
• - seized items must be returned when no longer required

• - communications between legal adviser and client containing legal advice, or information about client's obligations, liabilities or rights under DPA
• - any communications about proceedings under the DPA

A person must not knowingly or recklessly, without the consent of the Data Controller:

obtain/disclose personal data or the information contained in personal data, or procure the disclosure to another person of the information contained in personal data

£5,000 fine, unlimited fine, prison (being considered)

• - fines at Magistrates and Crown Court
• - undertakings
• - public domain
• - public relations disaster

• - power to fine for data loss (£500k)
• - requirement to notify data loss
• - prison term for breach of DPA
• - tiered notification fee

• - power to inspect public sector without notice
• - nominated defendant
• - 2009

Section 51

It shall be the duty of the Commissioner to promote the following of good practice by data controllers

• - COPs can be approved at European level
• - Secretary of State in the Uk may direct - ICO to produce a COP on a particular topic
• - good practice covers both compliance with the requirements of the Act and actions that go beyond that
• - ICO may develop own COPs
• - ICO to encourage trade association COPs
• - ICO must consider Trade Association COPs
• - ICO has to consult before endorsing COPs
• - consultation must be with relevant interested parties, trade associations, data subjects, representatives of data subjects

The Commissioner has a duty to review Codes of Practice submitted by trade associations under s51 (4) (b) of the DPA 1998 which states:

"where any trade association submits a code of practice to him for his consideration, consider the code and, after such consultation with data subjects or persons representing data subjects as appears to him to be appropriate, notify the trade association whether in his opinion the code promotes the following of good practice"

• - Archivists & Record Managers
• - Sharing Personal Data
• - Privacy Notices
• - Employment Practices
• - CCTV
• - Telecommunications Directory Information
• - Assessment Notices (new)
• - Online Information (new)

• Nemonic
• ASPECT + A + O / PEACOATS

• - Data Protection Act 1998
• - The Regulation of Investigatory Powers Act, and associated regulations (covers secret recording)
• - The Human Rights Act 1998 (basic right to privacy)
• - The Freedom of Information Act 2000/2002
• - The Private Security Act 2001

• - Information Commissioner Code of Practice on CCTV
• - Home Office Scientific Division guidance and advice, including technical standards
• - British Standards Institute (BS 7958:2005)

• 1. Monitoring: watch the flow of e.g. traffic; identity not necessary
• 2. Detecting: detecting the presence of people where they should not be
• 3. Recognising: recognise people you know
• 4. Identifying: identifying a person with sufficient clarity that the evidence would be admissable