The Information Commissioner’s Office (ICO) has laid before the UK Parliament a draft of its new guidance on monetary penalties. The new guidance follows the introduction by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 of additional powers to impose monetary penalties for serious breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003.
The 2011 Regulations gave the Information Commissioner additional powers to use monetary penalty notices for breaches of the 2003 Regulations, in addition to his existing powers under Sections 55A to 55E of the Data Protection Act 1998 (the 1998 Act).
The Commissioner may issue a monetary penalty notice up to a maximum value of £500,000 if a person has seriously contravened the 2003 Regulations and if the contravention was of a kind likely to cause substantial damage or substantial distress. In addition, the contravention must either have been deliberate or the person must have known, or ought to have known, that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it.
The Commissioner must first satisfy himself that he has the power to impose a monetary penalty as a result of a serious contravention of the 1998 Act or the 2003 Regulations and that the other statutory requirements apply. He must also consider whether, in the circumstances, it would be appropriate to issue a monetary penalty notice and, if so, determine the amount of the penalty.
The guidance sets out the criteria that will be taken into account when deciding the level of the monetary penalty. For example, the Commissioner will consider the seriousness of the contravention in terms of the nature of the personal data concerned and the number of individuals actually or potentially affected; the type of individuals affected (for example, children or vulnerable adults); whether the contravention was a “oneoff” or part of a series of similar contraventions; whether the contravention was caused or exacerbated by activities or circumstances outside the direct control of the person concerned, for example, a data processor or an errant employee; the duration and extent of the contravention; and whether guidance or codes of practice published by the ICO or others and relevant to the contravention were followed.
The Commissioner must initially serve a notice of intent setting out the proposed amount of the monetary penalty and informing the recipient that he or she may make written representations to the ICO. The Commissioner may reconsider the level of monetary penalty as a result of the written representations. The person on whom a monetary penalty notice is served may appeal to the First-tier Tribunal (Information Rights) against the issue of the notice and/or the amount of the penalty.
The Commissioner will take an objective approach in considering whether there has been a serious contravention. Examples of a serious contravention of the 1988 Act include the failure of a data controller to take adequate security measures (such as the use of encrypted files and devices) and the loss of medical records containing sensitive personal data following an office move.
Examples of a serious contravention of the 2003 Regulations include making a large number of automated marketing calls based on recorded messages, or sending large numbers of marketing text messages to individuals who have not consented to receive them, particularly if distress and anxiety is caused to the recipients.
The guidance provides a non-exhaustive list of reasonable steps to be taken to prevent a contravention. These include: i) carrying out a risk assessment in respect of the handling of personal data; ii) having good governance and/or audit arrangements in place; iii) having appropriate policies, procedures, practices or processes in place; and iv) implementing guidance or codes of practice published by the Commissioner.
DEFINITIONS AND EXAMPLES
In order to attract a monetary penalty, the likelihood of damage or distress must be substantial in importance, value, degree, amount or extent. The Commissioner will consider, objectively, whether the damage or distress is merely perceived or of real substance.
“Substantial” in relation to a serious contravention of the 1988 Act includes, for example, the disclosure of inaccurate personal data held by an ex-employer by way of an employment reference that results in the loss of a job opportunity for an individual. In relation to the 2003 Regulations, the example given is distress and anxiety caused to a large number of individuals who receive repeated marketing text messages or automated marketing calls based on recorded messages, without having given their consent.
“DAMAGE” AND “DISTRESS”
“Damage” is any financially-quantifiable loss such as loss of profit or earnings. For example, when personal data is lost and the individual becomes a victim of identity fraud.
“Distress” is any injury to feelings, harm, or anxiety suffered by an individual. Examples include anxiety suffered at the loss by a data controller of medical details and annoyance or anxiety on receiving repeated automated marketing calls without consent.
Examples given include a marketing company that collects personal data, stating it is for the purpose of a competition and then, without consent, knowingly discloses it to populate a tracing database for commercial purposes, without informing the individuals concerned.
“KNOW” OR “OUGHT TO HAVE KNOWN”
A data controller or person is expected to be aware, or ought to have been aware, that there is a risk that a contravention will occur. The test is objective and the Commissioner will expect the standard of care of a reasonably prudent person.
The ICO emphasises preventative action, such as carrying out risk assessments, encrypting information and ensuring consent is obtained in respect of marketing communications. If a serious security breach or contravention still occurs, despite such preventative measures having been undertaken, the chances of receiving a monetary penalty notice and certainly the level of any imposed, will be reduced.
It should be remembered that the Commissioner sees monetary penalties as a deterrent tool as well as an enforcement tool, although monetary penalties will only apply to the most serious situations. They must “be sufficiently meaningful to act both as a sanction and also as a deterrent to prevent non-compliance of similar seriousness in the future by the contravening person and by others”. The purpose of a monetary penalty notice “is not to impose undue financial hardship on an otherwise responsible person”.