The ICO has been imposing fines since 2010 so it is now possible to identify some common features of the ICO’s approach. In particular, section 55A of the Data Protection Act 1998 (DPA) allows the ICO to impose monetary penalty notices where:
- There has been a serious breach of section 4(4) of the DPA (failure of a data controller to ensure that personal data is dealt with in accordance with the DPA principles)
- The contravention is likely to cause substantial damage or distress; and
- The contravention was deliberate or the data controller (1) knew or ought to have known that there was a risk of contravention and (2) failed to take reasonable steps to prevent the contravention.
The ICO has been imposing fines since 2010 so it is now possible to identify some common features of the ICO’s approach.
The “standard case”
The vast majority of the fines imposed by the ICO relate to data breaches arising from the recipients’ failure to adhere to the seventh data protection principle (to take “appropriate technical and organisational measures … against unauthorised or unlawful processing of personal data and against accidental loss … personal data”).
Fines imposed in respect of organisational failures commonly arise, not from the failure to put an adequate data security policy into place at all, but the failure to properly implement and enforce policies. In particular, many breaches arise from staff failures to follow the company’s data security policy and evidence of widespread organisational non-compliance is often an aggravating factor in the level of ICO fines. The cases regarding inadequate technical measures include the use of no or inadequate passwords for sensitive data, lack of encryption of data on mobile devices and failure to monitor the activities of outsourced IT providers.
The most high profile recent fine in this regard was imposed on Sony in January this year in respect of the Playstation hack in April 2011. In the Sony case the fine was imposed as a result of Sony’s failure to properly address a known system security vulnerability. However, many of the fines relate to much more innocuous low tech breaches such as mistakenly including personal details in an email (eg Stoke on Trent City Council, October 2012, £120,000) or losing print or electronic media containing sensitive data (eg Nursery and Midwifery Council, February 2013, £150,000).
The ICO has recently announced its intention to crack down on firms involved in illegal marketing. So far it has imposed fines on two companies responsible for nuisance calls (DM Design Bedrooms, £90,000) and spam emails and texts (Tetrus, collectively £440,000). It has also announced that it is investigating a further ten companies and has been increasingly proactive in investigating suspected offenders by, for example, searching premises and seizing equipment in the Tetrus case.
The legal basis for the fines imposed on cold callers is that calls had been made without reference to the Telephone Preference Service (TPS). Accordingly, the calls have been made without establishing whether the recipients of the calls have consented to use of their personal data. The ICO has jurisdiction to regulate texts and email spam since 2012 under the Privacy and Electronic Communications Regulations (PECR) which imposes fines for marketers who send electronic communications (1) without the recipients’ consent and/or (2) without identifying the sender. The Tetrus fine was the first time the ICO has exercised its jurisdiction to impose fines under PECR but, if its public pronouncements are followed up, it looks unlikely to be the last.
The ICO’s stance on this issue, often acting on the basis of consumer complaints or reporting by the TPS, suggests that the ICO may be willing to take an increasingly aggressive role in this, and possibly other regulated areas in the future. It also shows a willingness to push its jurisdiction into areas which might traditionally be thought of as the province of other regulators – in particular, Ofcom traditionally has jurisdiction to control nuisance calls under their remit to prevent “persistent misuse” of telecommunications equipment.
The ICO’s remit is also likely to be widened to cover the compulsory assessment of data security protocols at NHS bodies. The proposals, issued by the Ministry of Justice, are out to consultation at the moment but the industry consensus is that compulsory assessment is on the way.
Level of fines
Although the ICO has a jurisdiction to impose fines of up to £500,000, in practice it seems rarely to issue fines over £200,000–300,000 (Sony for example was only fined £250,000 as a result of the Playstation hack despite the serious and high profile nature of the breach). In the case of inadvertent data breaches by public bodies such as charities and councils, fines are often less than £100,000. However, the Tetrus case, which involved a deliberate flouting of data protection principles, saw in combination one of the largest penalties yet, fines of £300,000 and £140,000 imposed on the principals of Tetrus – the level of the fines being justified by the deliberate nature of the conduct, the lack of co-operation of the company principals and the significant profits the individuals were thought to have made from their wrongful conduct.