The Information Commissioner’s Office (“ICO”) has been given new powers to order organisations to pay up to £500,000 as a penalty for serious breaches of the Data Protection Act 1998 (“DPA”).

The ICO has published statutory guidance on how these powers will be applied and we have attempted to summarise its main points below, in the form of likely “frequently answered questions”.

Who does this apply to?

Anyone who is a “data controller” under the Act and seriously breaches the DPA. As the ICO points out, this can include “large companies, small businesses; sole traders; charitable bodies; voluntary organisations; Government Departments; and office holders created by statute such as electoral registration officers”. The ICO notes however that it will take into account the sector, the size, financial and other resources of a data controller before setting the amount of a monetary penalty. It also goes on to note that “As a general rule a data controller with substantial financial resources is more likely to attract a higher monetary penalty than a data controller with limited resources for a similar contravention of the data protection principles.”

A monetary penalty cannot be imposed on a person who is not the data controller, such as an employee of the data controller, or a person who is acting as a data processor on behalf of a data controller.

In what circumstances can the ICO issue a fine?

The ICO must be satisfied that:

  • there has been a serious contravention of the data protection principles by the data controller; and
  • the contravention was of a kind likely to cause substantial damage or substantial distress; and either (i) the contravention was deliberate; or (ii) the data controller knew or ought to have known that there was a risk that the contravention would occur and that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the contravention.

How will the ICO interpret the above?

Meaning of serious contravention: The ICO says that this will be determined objectively and that it will aim to reflect the reasonable expectations of individuals and society.

The ICO gives the following examples of serious contraventions:

  • The failure by a data controller to take adequate security measures (use of encrypted files and devices, operational procedures, guidance etc.) resulting in the loss of a compact disc holding personal data.
  • Medical records containing sensitive personal data are lost following a security breach by a data controller during an office move.  

Meaning of substantial damage/distress: Again, the ICO says that this will be assessed as objectively as possible.

ICO example of substantial: Inaccurate personal data held by an ex-employer is disclosed by way of an employment reference resulting in the loss of a job opportunity for an individual.

What practical steps should be taken to reduce the risk of a financial penalty?

As penalties are an enforcement measure designed to encourage compliance with the DPA, organisations who generally take steps to try and ensure their compliance with the DPA are more likely to have a defence that they took “reasonable steps” to prevent a contravention where one occurs and, just as importantly, are much less likely to contravene the DPA in the first place.

The ICO has given the following as a list of factors which support the conclusion that a data controller has taken reasonable steps. Organisations wishing to review their own internal procedures may also wish to use this as a starting point for this process:

  • The data controller had carried out a risk assessment or there is other evidence (such as appropriate policies, procedures, practices or processes in place or advice and guidance given to staff) that the data controller had recognised the risks of handling personal data and taken steps to address them;
  • The data controller had good governance and/or audit arrangements in place to establish clear lines of responsibility for preventing contraventions of this type;
  • The data controller had appropriate policies, procedures, practices or processes in place and they were relevant to the contravention, for example:
  • a policy to encrypt all laptops and removable media in relation to the loss of a laptop by an employee of the data controller;
  • Guidance or codes of practice published by the ICO or others and relevant to the contravention were implemented by the data controller, for example, the data controller can demonstrate compliance with the BS ISO/IEC 27001 standard on information security management.

It is also clear from the guidance that, in addition to having robust internal procedures in place to try and promote DPA compliance generally, it will also be important for organisations to take prompt steps to rectify matters where they become aware of a specific risk of data loss. The ICO gives the example that where a data controller’s security is breached they should take steps to rectify the relevant flaw in their computer system as soon as they could practicably have done so.

In conclusion, the introduction of financial penalties does not represent a change in the existing obligations of data controllers under the DPA, but it does provide a strong incentive for organisations to take steps to ensure they are following best practice and to reinforce the importance of compliance to their staff.