The Criminal Justice and Immigration Act 2008 (the "Act") was given royal assent on 8 May 2008. Certain provisions of the Act, which will be brought into force by secondary legislation, are intended to overhaul the sanctions regime set out in the Data Protection Act 1998 (the “DPA”).
The key amendments under the Act are the following:
- the proposal to give the Information Commissioner’s Office the power to issue penalty notices and fines to data controllers who commit serious breaches of any of the data protection principles; and
- providing for a possible amendment to the DPA to introduce fines and imprisonment for data protection offences.
Current position under the DPA
The DPA regulates the collection and use of personal data in the UK. Under the DPA, the knowing or reckless obtaining of or disclosure of personal data, or the procuring of its disclosure without the consent of the data subject is an offence, as is the selling of data so obtained or disclosed, under section 55 of the DPA. There are limited defences to this offence. Following various high profile data protection news stories (including the loss of the details of 25 million recipients of Child Benefit), in January 2008 the Information Commissioner asked the Government to increase the statutory penalties for non-compliance with the terms of the DPA. The key changes are as follows.
New defence to section 55 offences
The Act creates a new defence to offences under section 55 of the DPA, where it can be shown that a person has obtained or disclosed the personal data for journalistic, literary or artistic purposes with a view to publication of journalistic, literary or artistic material, and in the reasonable belief that what they have done was justified as being in the public interest. This provision has already come into force with the passing of the Act on 8 May 2008. This new provision provides an important new defence to offences under the DPA. The burden of this provision rests with the individual who must demonstrate not only that the obtaining or disclosure of personal data was for a journalistic, literary or artistic pursuit, but also that they had reasonable and genuine belief that disclosure was in the public interest. This is a high standard of proof which is commensurate with the importance of the protection of personal data.
Power to increase penalties for data protection offences
Under section 77 of the Act, the Home Secretary will have the power (after the appropriate consultation) to issue secondary legislation which will increase penalties for offences under section 55 of the DPA. The maximum penalty that may be imposed as currently envisaged by the Act will be 12 months imprisonment and a fine up to the statutory maximum (currently £5,000) on a summary conviction. For conviction on indictment, an unlimited fine and two years’ imprisonment is the proposed sanction. The bringing into force of these provisions will be deferred until the Home Secretary has consulted on the length of sentences. This is a key part of the new proposals and, quite naturally, will be a focus for most clients. The prospect of criminal sanctions such as imprisonment is no small matter for data controllers, who will naturally be more anxious to seek advice from their legal advisors regarding compliance with the DPA.
New penalties for contraventions of data protection principles
Section 144 of the Act amends section 55 of the DPA so as to empower the Information Commissioner to serve monetary penalty notices on data controllers who commit serious breaches of the data protection principles set out at Schedule 1 of the DPA, which essentially provide that data is processed securely and fairly. Before doing so, the Commissioner must be satisfied that the contravention of one of the eight principles was serious and of a kind likely to cause substantial damage or substantial distress. In addition, it must be shown that the data controller either deliberately contravened the DPA, or knew or ought to have known that there was a risk that a contravention would occur. Before serving any penalty notice, the Commissioner must serve a notice of intent on the data controller, giving him a set length of time to make representations to the Commissioner in response.
The data controller who is fined under these provisions can appeal to the Information Tribunal contesting the issue or level of the fine. This section also requires the Information Commissioner to publish guidance and the circumstances in which he will issue fines, and how he will decide on the level of fines. It also empowers the Home Secretary to make secondary legislation on other details such as the maximum level of fines, the cancellation of counter-notices, the procedure for appeals and so on. This section of the Act remains to be brought into force by a future statutory instrument. There is no set date for the bringing into force of these provisions.
This is another key change to the DPA, which one can expect will lead many clients to seek advice not only on how to avoid/challenge fines, but also on compliance with the Eight Principles and the DPA generally.
What does this mean for my business?
Currently the Information Commissioner’s only real sanction against those who fail to protect the security of personal data is to serve an enforcement notice on them. This has increasingly been seen as lacking teeth in an age when almost all organisations routinely store large amounts of personal data, and particularly toothless given the move to centralisation of the storage of personal data through schemes such as the proposed National Identity Card Scheme and the NHS scheme for instant access to medical records.
There is a perception that data protection is often ignored or given low priority in most industries, and that this has lead to widespread breaches of the DPA which have hit the headlines in what is both a spectacular and damaging manner. Banks, retailers and Government departments have all suffered humiliating breaches of data security and have paid the price in terms of falling custom and negative press. With the creation of criminal sanctions for data offences, these breaches are set to have an ever-increasing impact on the bodies which experience them and individuals who are meant to prevent them.
The sweeping amendments in the Act which criminalise the disclosure of personal data are deferred pending the outcome of various reviews which are still under way (for instance, the review on information-sharing in the public sector and various Select Committee reviews). In addition, in the review of the Information Commissioner, published in January 2008, proposals were put forward for a wide range of powers in addition to sanctions, such as powers of inspection and search without notice or data controllers’ consent. It is envisaged that progress on these issues is likely to take place later this year, when the Government receives recommendations from their outstanding reviews.
With the key amendments remaining to be brought into force, the Government has offered valuable breathing space to companies and public bodies who may wish to use this golden opportunity to review their own data protection systems and protocols and, if necessary, seek advice on strengthening these while they still have time. It is clear that the success of the new system in tackling lax data security will depend to a large extent on how far the fines can go, and how real the threat of criminal liability is. However, data controllers must not be under any illusions as to which way the tide is turning. Breaches of the DPA will be treated far more seriously in future and all organisations which collect and process personal data would be well advised to take steps now to check that they have robust systems to comply with the DPA on a going-forward basis.