Skip to main content

The legislation we oversee

Contents

Data protection legislation

Both the Data Protection Act 2018 (DPA) and the UK General Data Protection Regulation (UK GDPR):

  • give people rights over how organisations collect and use their personal information; 
  • ensure organisations are accountable for using personal information safely; and 
  • support the social and economic benefits that come from responsible data sharing. 

The Data (Use and Access) Act 2025 (DUAA) amended the legislation that we oversee (in particular the DPA and UK GDPR). This included defining a principal objective for us in: 

  • carrying out functions under data protection legislation; 
  • securing an appropriate level of protection for personal information;
  • being aware of the interests of: 
    • the people the information is about;
    • Controllers and others; and 
    • the public; and
  • promoting public trust and confidence in the processing of personal information. 

The amendments resulting from the DUAA are being implemented in phases. More information about the changes and when they come into force is available on our website

The Privacy and Electronic Communications Regulations 2003 (PECR): 

  • regulate the use of electronic communications for the purpose of marketing to people and organisations (using cookies or similar technologies);
  • keep public electronic communications services secure; and 
  • maintain the privacy of customers using communications networks or services.

The Investigatory Powers Act 2016 (IPA) imposes duties on communications service providers when: 

  • they retain communications data for third party investigatory purposes; and
  • the Secretary of State has issued them with a notice. 

With certain personal data breaches (PDBs), we have a duty to audit the retained data to ensure its security, integrity and destruction.

Freedom of information legislation

The Freedom of Information Act 2000 (FOIA) gives people a general right of access to information held by most public authorities. Aimed at promoting a culture of openness and accountability across the public sector, it enables a better understanding of: 

  • how public authorities carry out their duties;
  • why they make the decisions they do; and 
  • how they spend public money 1.

The Environmental Information Regulations 2004 (EIR) provide means of access to environmental information. The EIR cover more organisations than FOIA, including some private sector bodies, and have fewer exemptions (referred to as ‘exceptions’ in the EIR).

The Infrastructure for Spatial Information in the European Community Regulations 2009 (INSPIRE) give us enforcement powers regarding the proactive provision by public authorities of geographical or location-based information.

Re-use of Public Sector Information Regulations 2015 (RPSI): 

  • give the public the right to request the re-use of public sector information; and 
  • detail how public bodies can charge for the re-use and licensing of the information. 

We don’t have the powers to regulate copyright or re-use of information but deal with complaints about how public bodies have dealt with requests to re-use information.

Other relevant legislation

Network and Information Systems Regulations 2018 (NIS) establish a common level of security for NIS applying to: 

  • operators of essential services; and 
  • relevant digital service providers (RDSP), such as: 
    • online marketplaces; 
    • online search engines; and 
    • cloud services. 

These systems play a vital role in the economy and wider society. The NIS aim to address any threats, most notably from cyber-attacks.

The Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 and Electronic Identification and Trust Services for Electronic Transactions (Amendment etc) (EU Exit) Regulations 2019 (known collectively as the UK eIDAS Regulations) set out rules for the security and integrity of electronic trust services, including:

  • electronic signatures, seals, time stamps and documents;
  • electronic registered delivery services; and 
  • website authentication certificates. 

We supervise organisations providing these trust services, and we’re able to grant qualified status to providers and to take enforcement action.

The Enterprise Act 2002 reformed UK competition law and consumer law enforcement. Part 8 of the Enterprise Act deals with the enforcement of consumer protection legislation. We have powers under part 8 as a ‘designated enforcer’ to handle domestic infringements and infringements listed in schedule 13. We are also a ‘schedule 13’ enforcer, which gives us additional powers to deal with infringements listed in schedule 13.


1 FOIA, EIR and INSPIRE apply in England, Wales and Northern Ireland. A separate regime, regulated by the Scottish Information Commissioner, operates in Scotland.