On 1 October 2008, the Regulation Enforcement and Sanctions Act ('RESA') came into force in the UK. The Act implements some of the recommendations in the Hampton Report 'Reducing Administrative Burdens: Effective Inspection and Enforcement' following a comprehensive review of the UK regulatory system. The new measures aim to ensure that the system in place "at both a national and local level … is risk-based, consistent, proportionate and effective."
The Act has four key parts: Part 1 establishes the Local Better Regulation Office; Part 2 deals with the co-ordination of regulatory enforcement; Part 3 deals with the "expanded toolkit" of regulatory sanctions; and Part 4 covers the requirement on regulators not to impose or maintain unnecessary burdens. Part 1 only applies in England and Wales, although parts 2, 3 and 4 apply in Scotland in relation to matters that are reserved. This article will focus on part 3.
New Regulatory Sanctions (Part 3)
RESA applies to a variety of regulatory bodies, including the Financial Services Authority, the Environment Agency, the Food Standards Agency, Information Commissioner, Office of Communications and the Office of Rail Regulation.
The RESA allows a Minister, to give regulators access to four new sanctions:
- fixed monetary penalty (FMP) notices – under which a regulator will be able to impose a monetary penalty of a fixed amount;
- discretionary requirements – which will enable a regulator to impose one or more of the following: a variable monetary penalty (VMP); a compliance notice requiring the offender to take specified steps within a stated period to secure that the offence does not continue or happen again; a restoration notice, which requires the offender to take specified steps within a stated period to secure that position is restored, so far as possible, to what it would have been if no offence had been committed;
- stop notices – which will prevent a business from carrying on an activity until it has taken steps to come back into compliance; and
- enforcement undertakings – which will enable a business, which a regulator reasonably suspects of having committed an offence, to give an undertaking to the regulator to take one or more corrective actions set out in the undertaking.
Impact on the Information Commissioner's Office (ICO)
The ICO has often been criticised as being toothless in terms of the sanctions it is able to impose for breaches of the Data Protection Act 1998 (DPA). The ICO's power to issue an enforcement notice can be used to bring about compliance with the DPA, but cannot be used to impose sanctions or prosecute breaches, however serious.
The new regulatory powers under RESA extend the sanctioning "toolkit" available to the ICO. However, these powers are alternatives to criminal prosecution and therefore can only be used in relation to "relevant offences", which are already offences under criminal law. Under the DPA these would include: non-notification; failure to comply with an enforcement notice; and unlawful obtaining, disclosing or procuring of personal data and selling of personal data so unlawfully obtained.
"Stop now" notices will also be a useful power, enabling the ICO to forbid a non-compliant organisation from further processing personal data, and the power to impose fixed fines under RESA is potentially a useful string to the ICO's bow.
The RESA will clearly have an impact on a variety of regulatory areas across the UK, ensuring more consistency of enforcement and greater flexibility in terms of penalties imposed.
However, it is difficult to see how these provisions, which focus on alternatives to criminal prosecution in the courts will interact with the ICO's present enforcement initiatives. The ICO has put much emphasis on the Criminal Justice and Immigration Act 2008, which contains an amendment to the DPA empowering the courts to impose custodial sentences for DPA offences and which is expected to come into force shortly. The ICO considers fines imposed by the courts are often regarded as "a business expense" and consider "the possibility of imprisonment … is both an appropriate punishment and effective deterrent" for serious breaches of the DPA. According to its response to the consultation on the RESA, the ICO considers "that the availability of the fixed monetary penalty sanction would present us with a distraction from our current efforts to address the problem through prosecution in the courts."