The document outlines the six things the Information Commissioner's Office (ICO) must show to issue a monetary penalty notice for a data protection contravention: 1) A contravention of data protection principles, 2) The contravention was serious, 3) It was likely to cause substantial damage or distress, 4) The entity knew or should have known about the issue and failed to take reasonable steps, 5) A monetary penalty notice is appropriate, and 6) A notice of intent was properly served. It then provides further details on some of these criteria, such as distinguishing the contravention from the trigger incident and factors considered for "likely to cause substantial damage or distress."