As the issue of the first Monetary Penalty Notice ("MPN") under the Data Protection Act 1998 (the "DPA") draws closer, organisations are asking themselves how they can avoid being on the receiving end of this new sanction.
- Fines of up to £500,000 are expected to come into force from 6 April 2010
- The Information Commissioner's statutory guidance is a useful blueprint for compliance
- Organisations have a short time to review their data protection compliance before they are potentially at risk of a fine
- An organisation which can demonstrate it took "reasonable [preventative] steps" despite committing a serious data protection breach could have a lower fine issued or even be exempt from a fine
- Commercial partners should consider the possibility of a fine when apportioning liability in their contractual arrangements
- Larger organisations can expect to be hit harder financially for the same breach
- The Commissioner's exercise of his discretion will be the single most important factor in determining the effectiveness of MPNs as a new data privacy compliance tool.
As has been widely reported, the Information Commissioner (the "Commissioner") has a new power to fine up to £500,000 for serious data protection breaches. The new regime is expected to come into force on 6 April 2010 and marks a significant change in data privacy regulation in the UK.
The Commissioner has published statutory guidance on how he will use his power to issue MPNs (the "Guidance"), a document which has received surprisingly little attention so far, considering it is the best indication available of the Commissioner's thinking as to how he intends to issue fines in practice. The Guidance has an important role as a compliance checklist for prudent organisations wishing to review their practices and procedures and make essential adjustments ahead of April.
The Guidance was laid before Parliament on 12 January 2010 can be found on the Commissioner's website www.ico.gov.uk.
The procedure for issuing a MPN is as follows:
First, the Commissioner must be satisfied that there has been a serious contravention of the Data Protection Principles and that the other statutory requirements are met (the breach is likely to cause serious damage or serious distress and was either deliberate or reckless and no reasonable steps were taken to prevent it).
Next, the Commissioner serves a Notice of Intent on the data controller. The data controller then has an opportunity to make representations about the issue of the MPN and/or the proposed size of the fine.
The Commissioner must consider any representations made and then decide whether or not to proceed with serving the MPN or to vary it, e.g. by varying the size of the fine, and informs the data controller accordingly. The data controller can appeal to the Tribunals Service against a MPN.
The Guidance includes the Commissioner's interpretation of a number of terms in the legislation. This is not legally binding but it is likely to be taken into account by a Tribunal construing the relevant sections of the DPA. In particular, the Guidance explains that "substantial" means that the likelihood of damage or distress suffered by an individual would have to be "considerable in importance, value, degree, amount or extent", e.g. inaccurate data held by an ex-employer being disclosed in an employment reference, resulting in the loss of a job opportunity for the individual. "Damage" is explained as any financially quantifiable loss, e.g. loss of earnings. "Distress" means injury to feelings, harm or anxiety suffered by an individual e.g. anxiety that lost medical records may become public, even if this does not actually happen.
Compliance Tips drawn from the Guidance
The Information Commissioner can be expected to make use of his new power fairly soon after he gets it. To try to avoid receiving a MPN or Notice of Intent, a data controller should consider the following:
- Make an effort - and be able to demonstrate it – to recognise the risks of handling personal data, e.g. conduct a risk assessment or adopt "privacy by design" principles
- Pay proportionately more attention to processing involving sensitive data and/or large numbers of individuals
- Have appropriate policies, procedures and practices relevant to serious contraventions which might occur and establish clear lines of responsibility
- Implement guidance or codes of practice by the Commissioner or others that are relevant to serious contraventions of the DPA by your organisation
- Don't allow known problems to persist – act quickly, e.g. rectify security flaws in IT systems as soon as you practicably can
- Act and learn the lessons from past warnings or previous incidents (and be able to provide evidence of this).
An organisation which receives a Notice of Intent, should consider the following when formulating its response.
- Provide evidence to the Commissioner in relation to your internal compliance and governance, e.g. as set out above
- Ensure you tell the Commissioner if you are subject to any requirements from another regulator relating to the same incident (the Commissioner will try to avoid "double jeopardy")
- Be ready to explain what steps you have taken since you became aware of the contravention
- Explain what steps, if any, you have taken to offer compensation to individuals affected by the breach in question
- Be ready to explain the reputational harm to you as data controller which would / could be caused by a MPN
Due to its potentially serious consequences, both financial and reputational, an organisation which receives a Notice of Intent should consider seeking specialist legal advice in order to prepare representations in response.
MPNs cannot be issued to data processors, only to data controllers. Parties should take this into account when apportioning data protection-related liability between themselves in commercial contracts.
The single most important factor in the effectiveness of MPNs as a new data privacy compliance tool will be the Commissioner's exercise of his discretion. The Guidance provides some welcome hints but ultimately we will just have to wait and see how things develop in practice.
For those of you reading this on Thursday 28 January 2010, we wish you a happy Data Protection Day!