THE Information Commissioner’s (ICO’s)
powers of enforcement in relation to serious
breaches of one of the eight principles in the
Data Protection Act (DPA) 1998, including
data security breaches, are soon to be strengthened.
A new power to issue fines
against offenders, which was
approved by parliament in 2008,
will soon come into force. The
latest from the ICO is that this
will be from April 2010. The
Ministry of Justice is the
Government department
responsible for the changes and it
will determine the exact timescale.
From the commencement date,
once confirmed, the ICO will be
able to issue what are expected to
be “substantial” fines against data
controllers (i.e. businesses and
organisations using personal
information from their employees,
customers or other individuals on
their own behalf) without prior warning, for
deliberate or reckless breaches of the DPA.
The Ministry of Justice (MoJ) published a
consultation paper on 9th November which
proposes that the maximum civil monetary penalty
(CMP) which can be imposed for serious breach of the data protection
principles should be
£500,000. Other
details, such as
whether the ICO will
be allowed to fine individuals (e.g. directors) as well as the
organisations themselves are still to be confirmed.
Given the very highly publicised incident in mid
November in which T-Mobile was forced to announce that it was co-operating
with the Information
Commissioner in relation to a likely
prosecution of former members of
its staff for selling on customers’
personal data, the increase in
potential monetary penalties is
likely to be welcomed by many.
Currently, the ICO can issue
enforcement notices against
organisations in breach of the
DPA. A notice would require the data
controller to take
particular steps in
respect of the breach,
including entering into
binding undertakings.
Such undertakings
would usually oblige the offending entity to take such action as in the ICO’s opinion is
necessary in order to avoid further breaches, or to
cease the unlawful processing of personal
information. Failure to comply with an
enforcement notice is an offence.
Failure to comply with binding undertakings
would be a breach of contract which could lead to
action being taken. In addition, it is a criminal
offence under the DPA to knowingly or recklessly
obtain, disclose or procure the disclosure of
personal information, or to sell (or offer to sell) it.
The maximum fine which can currently be
imposed under proceedings in the magistrates
court is £5,000.
Other regulators, including the Financial
Services Authority (FSA), have in contrast issued
huge fines (e.g. in excess of £1 million) against
banks in respect of data security breaches by them
or by their data processors acting on their behalf.
As an explanation, there is some overlap
between the FSA and the ICO in respect of data
security breaches in the financial services sector
and the two regulators work together to determine
which is best placed to take action.
It had been anticipated that the Government
would go for a “10% of turnover” level for monetary penalties to bring it more
in line with the maximum fines other
regulators can impose, such as the
FSA, OFCOM, OFFWAT and OFT.
It has not adopted this approach
on the basis that it is difficult to
work out the turnover of data
controllers. The level of fines will,
however, be established with some
reference to the size of the company
involved.
The ICO’s stated intention is to take certain
factors into consideration when imposing fines,
including the size, financial and other resources of
a data controller. It further notes that the
“…purpose of a [CMP] is not to impose serious
financial hardship on a responsible data
controller.”
The Ministry of Justice in the consultation
paper also states that it considers it “desirable that
the maximum amount of the penalty should not be higher than the equivalent of 10% of the highest
annual turnover of a small company”.
Increased sanctions for this offence (primarily a
custodial sentence of up to two years) have also
been approved by parliament, and are likely to
come into force in April 2010.
These sanctions are the result of increasing
concerns about the growing illegal trade in
personal data.
The new power to issue fines will give the DPA
more bite. Consequently, data controllers will need
to be careful in complying with the DPA
principles, otherwise they risk facing what is likely
to be a significant monetary penalty.
The ICO will have the power to fine offending
organisations where the data controller has
committed a serious breach of one of the eight
DPA principles, the breach was either deliberate or
the data controller knew, or ought to have known, that the breach would be likely to cause significant
damage or distress; or the data controller failed to
take reasonable steps to prevent the breach.
The risk of the breach causing “damage
or distress” is higher in the event of a breach
involving sensitive personal data. The DPA
provides that sensitive personal data include
information about an individual’s racial or ethnic
origin, physical health or condition, religious or
other beliefs, political opinions, criminal record,
sexual life and membership of a trade union.
Notice of intent
Before imposing the fines by way of a notice, the
ICO will have to serve a notice of intent upon the
data controller, which tells it of its right to make
written representations to the ICO until a specified
deadline. The ICO will not be able to issue the
notice until after that deadline. Once the notice has
been served, the data controller will have the right
to appeal to the Information Tribunal about the
notice itself being issued or the level of the fine.
Financial concerns aside, there is also the risk
of damage to a data controller’s reputation if a
fine is imposed, as the ICO lists all enforcement
action that it takes against data controllers on its
publicly available website. In addition, the ICO
issues press releases in the event of high-profile
breaches.
It is, therefore, increasingly important for
organisations to put compliance with the DPA at
the top of their agendas. Data controllers should
monitor the ICO’s guidance on how it proposes to
exercise its new power. The ICO will publish the
guidance on its website, www.ico.gov.uk.