In May 2008, the Information Commissioner’s Office (ICO) was given the power to levy fines for serious breaches of the Data Protection Act 1998 (DPA). The fines have been widely reported as "substantial" but the maximum level has not yet been confirmed.
Under the new power, the Information Commissionermay serve a “data controller” with a Monetary Penalty Notice (MPN) if he is satisfied that:
- there has been a serious contravention of the DPA;
- likely to cause substantial damage or distress; and
- the contravention was either deliberate or the data controller knew (or ought to have known) there was a risk such contravention and damage would occur and failed to take reasonable steps to prevent the contravention.
Every business in the retail sector is likely to be a data controller.
Before the power to fine becomes operational, two things have to happen: (1) secondary legislationmust be passed to set the level of themaximumfine and (2) guidancemust be produced by the ICO detailing when the power will be used and how the level of fines levied will be set. There is no official deadline for these to occur but it looks unlikely that we will see any fines being issued before 2009.
Many of the details which will determine how effective the new powermight be are still awaited. Based on the wording, it appears that a MPN could be issued even where substantial damage or distress has not actually been caused to individuals, provided that such damage or distress was a likely consequence of the particular breach and reasonable steps to prevent the breach had not been taken. If correct, thismight mean that a MPN could be issued for a loss of credit card or loyalty programme records linked to customers even where no damage was caused, eg, due to identity theft, provided that a risk of substantial damage was likely and reasonable preventative steps had not been taken by the organisation.
MPNs are a significant development in data protection law. They could, however, merely be the first in a range of enhanced powers sought by the ICO. Other powers requested include a right of audit without consent and a requirement for organisations to confirmin the company’s annual report that security policies have been followed. If the Information Commissioner gets even a fraction of what he is seeking, retail sector businesses - in which customer information plays such a fundamental role - should brace themselves for some challenging times ahead.