Since the Legal Aid, Sentencing and Punishment of Offenders Act 2012 (Fines on Summary Conviction) Regulations 2015 came into force 12 March 2015, the Magistrates’ Court has had the ability to impose unlimited fines for criminal offences under the Data Protection Act 1998 (‘DPA’).
Under s.55 DPA, an individual can be convicted of a criminal offence if he or she obtains or discloses personal data without the consent of the data controller. Before 12 March, a £5,000 fine cap existed, but this has now been removed, allowing for fines of any amount to be imposed at sentencing.
This change has been welcomed by the Information Commissioner’s Office (‘ICO’), which has been campaigning for stricter, more effective punishments and still wants custodial sentences for the more severe ‘blagging’ breaches. Data processing managers should not be overly alarmed if data is lost because of an error of judgment, though. The ICO has stated that although data processing managers could be legally responsible for data protection failures, they are unlikely to be affected by the amendment unless they – like any other employee – commit a criminal offence.
The changes do, however, force organisations that may have taken on a calculated risk, because of the low penalty that could be imposed, to think again and reassess their management systems. With heavier penalties available, the incentive to minimise data breaches is higher and parties are likely to be more willing to settle before trial should a breach occur.
The removal of the limit should provide magistrates with a framework to match the level of the fine with the defendant’s culpability, and encourage organisations to tighten up their data management systems. Only time will tell if this is achieved.