Our Strategic Plan sets out our regulatory focus:
We believe that we can be an effective regulator by ensuring we take action in four areas in relation to data harms:
Intelligence gathered from our 'detect' and 'enforce' helps us predict where the potential for harm is.
Knowing where there is potential for harm allows us to raise awareness and empower citizens to try to prevent harms from happening. We do this awareness-raising via
When data harms have occurred we must have effective mechanisms for individuals affected to make a formal complaint about an organisation, and we must have a mechanism that allows controllers/processors to report a data breach to us.
Enforcement action is the last resort, and cannot undo the harm that has occurred. Where we find that an organisation has not complied with their statutory obligations, our findings will be made public here on this page* as this allows other organisations to learn from what went wrong.
* unless to do so would cause further harm to the complainants
There are four sanctions available under the Law: Reprimand, Warning, Enforcement Order, and Administrative Fine. The chart below shows sanctions issued by the Authority since 2019: