It is expected that as of 6 April 2010 the Information Commissioner (the "Commissioner") will be able to impose financial penalties of up to £500,000 for serious breaches of the Data Protection Act 1998 (DPA). The penalties are designed to act as a deterrent against personal data breaches and to promote compliance with the DPA.
The new powers will form part of the Commissioner's overall regulatory regime which includes the power to serve an enforcement notice and to carry out an assessment as to whether a data controller's processing of personal data follows good practice.
The power to impose monetary penalty notices
The power to serve monetary penalty notices on data controllers is provided for under section 55A and 55B of the DPA, introduced by the Criminal Justice and Immigration Act 2008.
The Ministry of Justice has introduced two statutory instruments which provide the legislative framework necessary to bring the Commissioner's power to impose financial penalties into force. These are the Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 and the Data Protection (Monetary Penalties) Order 2010. At the same time the Information Commissioner's Office (ICO) has produced statutory guidance on the circumstances in which fines may be issued and how the level of fines will be determined. This guidance will be reviewed and updated as the Commissioner gains experience in using his new power.
The functionality of the power
When will a fine be imposed?
The monetary penalties are only designed to deal with serious contraventions of the data protection principles. As such, before imposing a penalty, the Commissioner must take into consideration the seriousness of the breach and the likelihood of substantial damage or distress being caused. Examples include when financial data is lost and an individual becomes the victim of identity fraud, or if data is stolen and an individual suffers harm or anxiety. In addition the Commissioner must be satisfied that the data controller either (i) deliberately contravened the DPA or (ii) knew or ought to have known that there was a risk that contravention would occur. There is a defence where the data controller takes reasonable steps to prevent the breach.
How will the level of fine be decided?
The Commissioner must take a discretionary and proportionate approach when assessing the appropriate level of any penalty. The factors that will be taken into account when carrying out this assessment include an organisation's financial resources, sector, size and the severity of the breach. The purpose of the penalty is not to impose undue financial hardship on an organisation.
What process will be followed when a monetary penalty notice is issued?
Once the Commissioner has satisfied himself that a monetary penalty is appropriate, a notice of intent must be served on the data controller. The notice of intent will set out the proposed amount of the monetary penalty. It will also give a set length of time (no less than 28 days) during which the data controller can make written representations to the Commissioner's proposal. After the expiry of this period, or having considered any representations made by the data controller, if any, the Commissioner may then serve the data controller with the monetary penalty notice. A monetary penalty notice can be varied (to reduce the amount of the penalty) or cancelled by the Commissioner.
A data controller who is served with a monetary penalty notice may appeal to the Information Tribunals Service, contesting the issue of the notice and/or the amount of the penalty specified in the notice.
What happens to the monetary penalty?
The monetary penalty is not kept by the Commissioner. It is paid into the Consolidated Fund owned by HM Treasury.
The Commissioner's power to impose financial penalties for serious breaches of the DPA delivers a clear message that breaches of the DPA will be treated far more seriously in the future. The ICO Guidance states that the possibility of a monetary penalty notice should act as both a "sanction and also as a deterrent to prevent non-compliance of similar seriousness in the future by the contravening data controller and other data controllers".
This new power is a significant development for data controllers in both the public and private sectors who may wish to review their practices and systems to ensure they avoid a penalty being imposed. However, the Commissioner considers that the proper handling of personal data in accordance with the DPA should not be seen as an extra requirement for businesses, stressing that compliance with the DPA is an integral part to the carrying out of any business activity.