Dear R. Sole
Thank you for your email of 14 October 2016 concerning papers you found belonging to Wirral Borough Council relating to noise complaints.
We want to know how organisations are doing when they are handling information rights issues. We also want to improve the way they deal with the personal information they are responsible for. Reporting your concerns to us will help us do that.
Our role is not to investigate or adjudicate on individual concerns but we will consider whether there is an opportunity to improve the practice of the organisations we regulate. We do this by taking an overview of all concerns that are raised about an organisation with a view to improving their compliance with the Data Protection Act 1998.
I can confirm that Wirral Borough Council has self-reported this matter to us and we are investigating this incident. As part of our investigation we will take steps to ensure that the council has addressed all foreseeable weaknesses in its organisational and technical controls, with a view to reducing the potential for a recurrence.
Although I cannot confirm what action, if any, we will take, in common with all such cases I can advise that there are four options available to us:
We may issue advice. This may take the form of a letter, or an undertaking. The latter is a publically available document signed by both the ICO and the organisation to which it is issued;
- We may mandate the steps required to reduce the likelihood of a recurrence by way of a formal Enforcement Notice;
- In the most serious cases, we may issue a Civil Monetary Penalty. This acts as a deterrent against future incidents;
- Finally, we may offer an audit or advisory visit. These allow the ICO to review specific areas of a data controller’s compliance and to make tailored recommendations for improvement.
Further details of all our regulatory powers can be found in our Regulatory Action Policy, which can be found on our website.
The above steps are not mutually exclusive and in common with all such cases we will use a combination of our powers to ensure that both the incident and any improvements required are appropriately addressed.
At this stage we are unable to confirm what the outcome of that investigation will be. We will not write to you again in this matter but any formal regulatory action will be published on the ICO’s website.
I hope this information is helpful. Thank you for bringing this matter to our attention.