Ashurst Data Bytes 6: The ICO's new investigatory remit under the UK Data (Use and Access) Act

Rhiannon Webster:

Hello, I am Rhiannon Webster, a partner in Ashurst's Digital Economy Team and Head of our UK Data and Cyber Practice. Welcome to the final episode of our miniseries on the Data (Use and Access) Act. If you've just stumbled upon us now, there are another five in the series that you can listen to.

In this episode, we are going to focus on one of the changes being brought in by the law, which has flown relatively under the radar. So the Data (Use and Access) Act introduced several changes to investigatory powers of the UK's data protection regulator, soon to be named the Information Commission, previously Information Commission's Office. We're going to look at what exactly are these new powers, why we think they've been introduced, and what may lie ahead.

And to help us talk through this topic, again, I am handing over the reins and this time I'm joined by Ashurst's Senior Associate, Tom Brookes from the Digital Economy Team and Anthony Asindi from the Dispute Resolution Team. So turning to Tom first, can you kick us off by setting the scene on the Information Commission's approach to investigation and enforcement?

Tom Brookes:

Thanks Rhiannon. So it's great to be here to talk about this topic. The Information Commission's investigatory and enforcement powers are contained in the Data Protection Act 2018. The formal investigatory powers broadly include a power to issue enforcement notices and assessment notices, and how these powers are deployed in practise are governed by the ICO's regulatory action policy. In addition to these formal investigatory powers, we also see the ICO commonly making informal inquiries when it becomes aware of potential non-compliance in an organisation.

In contrast to other regulators such as the FCA, the ICO is quite a reactive regulator. And so for most data controllers in the UK, they will only ever interact with the ICO when a complaint has been made about their conduct and practise or when the ICO has been notified of a personal data breach. A key challenge for the ICO in conducting effective investigations is the volume of complaints and personal data breaches it has to deal with.

So for example, last year the ICO received around 42,000 complaints, which is up from 35,000 the previous year, and it received around 12,000 data breach reports. With the passage of the Data (Use and Access) Act, the ICO now has several new investigatory powers and John Edwards, the Information Commissioner noted as the bill was passing through Parliament that these new powers are intended to enhance and improve regulatory effectiveness. So I'd like to bring Anthony in now. Anthony, can you summarise, what exactly are these new investigatory powers that the ICO is going to have?

Anthony Asindi:

Thanks, Tom. There's three main powers that the Data (Use and Access) Act introduces. There's amendments that Data Protection Act 2018 that we want to draw attention to. So the first is the power for the ICO to compel the production of documents. The second is the power to compel individuals to attend an interview and answer questions. And the third is the power to require controllers or processors to provide a report on a specified matter. So jumping straight into compelling the production of documents. On its face, this is framed as a new power, but really this clarifies the scope of information [inaudible 00:04:08] as you've touched on, and the ICO's existing power under them where they're already able to require controllers and processors to provide information. But the Data (Use and Access) Act now just makes it expressly clear that that power also extends to the ability to compel the production of documents as well, so really an attempt to strengthen the ICO's data gathering and evidence gathering tools.

The second power, so the power to compel individuals to attend interviews is a brand new power. Again, the ICO has powers to request voluntary questions or voluntary interviews, but now under the Data (Use and Access) Act, it will be able to compel individuals to attend interviews where it's investigating suspected failures under the UK GDPR or under the Data Protection Act 2018, or offences committed by a controller or processor under the Data Protection Act. Now again, this is a slight expansion of the existing powers that the ICO has, particularly regarding information notices, but effectively an individual which is defined very broadly to be only a controller or processor if they are individuals, but also any individual employed by them or otherwise working for a controller or processor or any other individual at any time that was concerned in the management or control of the controller or processor, so a very broad category, may be required to attend at a specific place and time to answer questions regarding the specific matter that the ICO is investigating.

There are a few restrictions on that power. So one of them, which is a typical one in the investigation regulatory enforcement context is privilege. So where communications are privileged or where an answer might incriminate an individual, then there's no requirement to answer those questions. The only interesting exception to that is where the self-incriminating answer actually relates to a breach or an offence under the Data Protection Act itself. So in those circumstances, an individual might be asked to answer questions that would otherwise incriminate themselves.
Now again, the other nuance to this is that where a person refuses to answer questions when they're compelled to do so under the new power, then that may be considered an aggravating factor and could in fact lead to higher fines for the controller or processor than if they had cooperated. And also an individual who knowingly makes or recklessly makes a false statement in interview may also be subject to criminal sanctions. So quite a broad ranging power, particularly one that's not seen currently in the ICO's toolkit.

And then third and finally, the power to require a report. So this again, is an expansion of the existing assessment notices power and the ICO's ability to issue assessment notices. And it will now have the ability to compel controllers or processors to prepare a report, or rather to engage an approved person to prepare an report, and those arrangements or the assessment notices may specify terms regarding the actual preparation of that report, how they go about it, the contents of the report, so the topic that the ICO is interested in and wants to hear about in that report, the form in which it's provided, and also the dates by which it must be completed. So potentially quite stringent requirements as to this new power and the circumstances where these detailed reports are produced.

The approved person, so the individual that is producing that report for the controller or processor must be approved by the ICO as well. So it is a process quite similar to section 166 skilled person review that we see with the FCA, whereby a nominated individual is put to the ICO, the ICO then approves that person and that person goes away to prepare the reports under this new power. Interestingly, the fact sheet that the government issued alongside the Data (Use and Access) Act suggests that principally this power may be used where there's a particularly technical issue. So for example, on particular issues of encryption or data privacy breaches, but really again, it's an aim to bolster information gathering tools.

Tom Brookes:

Thanks Anthony for running through those various different new powers. When exactly are these powers going to become available for the ICO to deploy? I understand that they're not all in force yet.

Anthony Asindi:

That's right. And that's a slightly more difficult question than what the powers themselves are. So the first power that I mentioned, the power to require documents, that's now in force. So that came into force two months after the Act itself was passed, so it's been in force since the 19th of August 2025. The power to require reports and the power to compel interviews are not yet in force and will in fact be subject to separate regulations that bring those provisions of the Data (Use and Access) Act into force.

We're still waiting exact confirmation of when that will be, but the initial suggestion was that it was going to be roughly six months after the Act itself received royal assent. So we anticipate it may be by the end of this year.

I think Tom, on that backdrop and turning it back to you, obviously these new powers, as I've touched on some are new, some are expansions of what the ICO has available to it already. Why do you think the ICO has taken these steps and has been given this enhanced set of powers under the Data (Use and Access) Act?

Tom Brookes:

Thanks, Anthony. So having had a look at the government's initial comments when the consultation process was running for the Data (Use and Access) Act, there were a couple of themes, a couple of issues, that were identified. There were references to making sure that the ICO is effective, efficient, and proactive in its approach to investigations. And taking a look at each of these powers, I think the power to compel organisations to prepare a report at the organization's cost could be a real game changer here and a step change from what the ICO has previously been doing.

The onus is clearly, and the effort is going to have to be on both the organisation who is compelled to prepare the report and also the approved person who will be undertaking the substantive analysis, rather than what is currently the case where the ICO itself is running the investigation and the fact-gathering exercise and having to undertake an extensive consultation and engagement with the organisations throughout that process. So certainly there will be the prospect of the ICO becoming more efficient and potentially being able to investigate a larger number of organisations. So it'll take less resources for them if they chose to rely quite heavily on this new power to compel a report to be produced.

One open question is whether the new powers will actually result in any changes such as the ICO becoming more proactive, so less reactive and responsive, but looking to proactively investigate organisations, not when there's a complaint and not when there is a personal data breach. There are also parallels that Anthony, you are going to talk about in relation to similar powers that the regulators such as the FCA have. But another point of comparison is what we're seeing in Europe. We know in particular that the Irish Data Protection Commission has started to request that organisations are preparing reports on their compliance with law. I think a lot of other data protection regulators will be closely watching how the ICO uses these powers. Clearly we're going to have to understand and we expect there's going to be some form of consultation on the powers.

One area that, aside from the reports which will be interesting to look at, will be in relation to the power to compel someone to attend the investigation and the right to appeal that as well. What would be the parameters for someone to appeal the use of that power to investigate. And so Anthony, I think you are a disputes' lawyer who regularly advises organisations in the context of regulatory investigations. What lessons or learning points do you think that organisations could seek to look at and to interrogate from how other regulators are deploying these powers in your experience, in your area of practise?

Anthony Asindi:

So it's really interesting and as you touched on with my investigations hat on, there's certainly parallels particularly with the FCA and the powers that it has under the Financial Services and Markets Act, not least the exact or almost near equivalent powers that it has to both compel interviews and also compel the production of a report as I've talked on earlier, that being the section 166 power to compel skilled person reviews. So on its face, there's an element of anything you can do I can do better or is it the ICO borrowing inspiration from powers that it's seen used elsewhere?

A few key differences based just on the wording of the legislation and how those powers are therefore available and may be used. So the first and perhaps the most obvious one is that the scope of the powers and the circumstances where they might be used are slightly different. So FISMA and the powers to compel interviews and require reports that the FCA has available, obviously for part of its wider supervisory role across the financial services sector. Whereas in the context of the ICO, we're really talking about, as you touched on, principally a reactive regulator that deals in response to your complaints but doesn't have day-to-day supervisory role policing compliance or policing controllers and processors compliance with UK GDPR and the Data Protection Act.

So in that sense, the circumstances and breadth of scenarios where these powers might be used is already much narrower, at least on its face. And then also with interviews as well as an example, that also forms not only part of the FCA's investigations process, but again part of its general information gathering in the context of its overall supervisory role in relation to regulated firms under both its and the Prudential Regulation Authority's scope and purview. So almost immediately, although the powers themselves look quite similar on their face, the circumstances in which they're available and how they dovetail with their relevant regulator's actual responsibilities, it is one obvious difference and a point that we'll have to keep an eye on in terms of the approach the ICO takes.

I think the other point is that the FCA in relation to its powers has obviously now one long history of using those powers but perhaps more importantly, establish guidance and frameworks on the circumstances when those powers will be used and exactly how those powers will be used. So with the FCA, we have the FCA handbook, as listeners may know, that's quite a voluminous text. It goes into quite a lot of detail about when certain powers available to the FCA will be used. And so by way of example, the skilled person reviews, so the equivalent of the ICO's new power to compel reports, it sets out in quite a lot of detail the circumstances where that power may be used. So for example, the FCA uses it for diagnostic purposes, it uses it for monitoring purposes in the context of preventative action, but also for remedial action, so where risks have crystallised.

As I say, it remains to be seen whether the ICA will see its power and the use of power in the same lights or whether it'll take a slightly different approach. And so in that sense, really what we're missing to a degree is that supporting guidance or that supporting indication from the ICO about exactly how it sees these powers in the context of its current enforcement approach. And as you say, Tom, to date it has been very much a reactive regulator, whether it now wants to turn face and become more supervisory in its role and responsibilities, I think it's something we are looking at quite closely. But with that in mind, as I've touched on, we have the Act, we've got the provisions of the powers themselves, but is there any suggestion that the ICO will be giving us guidance on these powers and the circumstances where they might be used?

Tom Brookes:

I think the short answer is yes. I think there is a suggestion that they will. The ICO has launched several consultations in the context of other changes in the Data (Use and Access) Act specifically in relation to the new recognised legitimate interest and the new statutory right of complaint. There is consultations being undertaken and active by the ICO on those areas and so it stands to reason that they'd also be issuing consultation in relation to these new investigatory powers as well. And I think the one piece of existing guidance or policy documentation, which is probably going to have to get updated in light of this, is the ICO's regulatory action policy.

We mentioned earlier this point around the right to appeal an interview notice or the right to appeal the request to attend an interview. So how that works in practise will have to come out through guidance and potentially through this regulatory action policy. And then similarly, some of the nuts and bolts of how these reports are produced, what will be the impact and the relationship with privilege when lawyers are involved, all these issues are going to have to be worked out. And so we should expect, I think organisations can expect, some form of guidance coming down the track on this.

Rhiannon Webster:

Thanks very much Tom and thanks Anthony for your great insights. I'm particularly finding it interesting, the comparison with the Financial Services regime. Thank you to our listeners for listening to our podcast and please do share the podcast with interested colleagues.

So as I said at the beginning, this is the final episode in our miniseries for now, we'll be coming up with some more topics to talk about data protection and cyber in the future. As I also said, this is the sixth in the series, so if this is the first time you've stumbled upon our series, there's another five for you to find and listen to. We'll continue to keep you up to date on any developments relating to the Act in our Monthly Data Bytes newsletter. So if you haven't already, please do subscribe on Ashurst. Thank you and goodbye.