The Information Commissioner's Office (ICO)

The ICO is the UK's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

The ICO is responsible for:

  • Promoting good practice in handling personal data and giving advice and guidance on data protection.
  • Keeping a register of organisations that are required to notify the ICO about their information-processing activities.
  • Helping to resolve disputes by deciding whether it is likely or unlikely that an organisation has complied with the Act when processing personal data.
  • Taking action to enforce compliance with the Act, where appropriate.
  • Bringing prosecutions for offences committed under the Act (except in Scotland, where the Procurator Fiscal brings prosecutions).

Registration with the ICO

The ICO maintains a register of organisations which collect, hold and process data – known as “data controllers.” 

The DPA requires all data controllers to register with the ICO and comply with the legislation. This will include motor finance providers and motor dealerships. 

Firms must pay an annual fee for renewing their registration and must notify the ICO within 28 days of any changes to their details.  Failure to notify changes within this timescale or to renew registration are both criminal offences.

Every organisation, no matter how large or small, is responsible for the personal data it collects and has to register the following information with the ICO:

  • a general description of the purposes for which the data is to be used;
  • the data subjects;
  • the type of data (e.g. personal, family/lifestyle/social, education, employment/financial);
  • the recipients to whom the data may be passed on; and
  • whether the data will be transferred outside the European Economic Area (in which case the recipients will not be bound by the provisions of the EU Directive and may not therefore comply with comparable standards).