The UK Information Commissioner's £50,000 fine of the Prudential grabbed legal headlines for a number of reasons. It was the first monetary penalty notice not related to a security breach. It was also one of only three fines imposed by the ICO to date on organisations in the private sector. At first glance, it seems small compared to fines meted out by the ICO on the public sector and by the FSA on other financial institutions. However, it is part of a continuing trend by the Information Commissioner to fine for serious breaches of data protection laws. It is also yet another example of the potential damage non-compliance with data protection laws can cause to an organisation's reputation. Ross McKean, Dan Tench and Helen Andrews give their perspective.
The Prudential's breach
The ICO issued its penalty notice against The Prudential in October 2012.
The Prudential held records for two customers with the same first name, surname and date of birth. Both records were merged in March 2007 which led to financial statements being sent erroneously to both customers and tens of thousands of pounds of retirement savings ending up in the wrong account. Despite both customers notifying Prudential of the error on several occasions, the records were only demerged in September 2010.
The ICO found that there had been a serious contravention of the fourth data protection principle, which provides that personal data shall be accurate and kept up to date. The ICO claimed that the contravention was of a kind likely to cause substantial distress and that in view of the fact that the company had approximately six million customers they "ought to have known that there was a risk that customer records could become mixed-up" and that no reasonable steps had been taken to prevent this.
A recap on the ICO's fining powers
The Information Commissioner has had the power to serve monetary penalty notices on data controllers for breach of the data protection principles since 2010. To date, the majority of notices have been served on public bodies for security breaches. Under Sections 55A and 55B of the Data Protection Act 1998, the Commissioner may serve a monetary penalty notice of up to £500,000 where there has been a serious contravention of Section 4(4) of the Act (the duty to comply with the data protection principles) and the contravention was of a kind likely to cause substantial damage or distress. In addition the contravention must either have been deliberate or the data controller must have known or ought to have known that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it. The ICO's guidance on how it will use these powers is available here.
UK monetary penalties to date - a snapshot
Despite the power to impose these notices extending to all data controllers in the private, public and voluntary sectors, the penalties imposed to date have been almost exclusively on public bodies, and in relation to security breaches. Fines to date have ranged from £1,000 to £325,000. The Prudential fine is only the third penalty notice served on private sector organisations - Welcome Financial Services Limited and ACS Law being the other two. Both those penalties were in relation to security breaches.
£50,000 for the Prudential: high or low?
The ICO Framework on monetary penalties provides a "seriousness rating" as follows: for serious breaches a penalty will be between £40,000 and £100,000; for very serious breaches the penalty will be more than £100,000 but less than £250,000; and for the most serious breaches, the penalty will be more than £250,000 up to the maximum of £500,000.
In determining the fine at £50,000, the ICO took into account aggravating features, including: that the error had the potential to cause the customers financial loss and possible identity fraud; that Prudential failed to correct the inaccuracy over a long period of time despite being notified; and that Prudential failed to conduct a proper investigation.
The ICO also took into account mitigating features, including: that only two data subjects were affected; the Commissioner was unaware of any directly similar contraventions despite the number of Prudential customers; no evidence that the data had been further disseminated; that compensation had been paid; that the funds transferred were recovered; that remedial action had been taken; and that Prudential had been cooperative with the Commissioner.
£50,000 is at the lower end of the range of fines previously imposed due to the mitigating factors. The ICO can and does impose much higher fines. The highest fine to date has been £325,000 imposed on Brighton and Sussex University Hospitals NHS Trust following the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff on hard drives sold on an internet auction site. On average the fines have tended to be around £70,000 - £80,000.
However, viewed from other perspectives, even £50,000 seems a high price to pay for this particular DPA breach. By way of parallels, it significantly exceeds the compensation which could be expected in a civil privacy claim. In addition, in criminal prosecutions brought under section 55 (unlawful obtaining of personal data), fines have tended to be in the order of a few hundred pounds.
It is true that in the past failures in respect of personal data committed by financial services companies have been investigated and punished by the FSA and not the ICO. In doing so, the FSA has imposed extremely heavy penalties. For example, in 2009 the FSA imposed a fine of £3m on HSBC for various failures in respect of the personal data it held and in 2010 imposed a fine of £2.3m on Zurich Insurance for mislaying an unencrypted tape backup with 46,000 sensitive customer records on it.
However, the FSA typically across its functions has a fining regime several orders of magnitude higher than other regulators and these cases related to substantial numbers of customers. Although in the Prudential case the ICO was itself dealing with a financial services company, the approach it adopted must be taken as being indicative of the approach it will adopt in respect of any type of company on which it is to impose a financial penalty. It is not clear how the ICO arrived at the level of the fine. The ICO Head of Enforcement simply stated that it was sending a "message to all organisations, but particularly those in the financial sector, that adequate checks must be in place to ensure people's records are accurate".
International perspective and future fine increases
The UK is certainly not alone in its approach to imposing fines for breach of data protection laws.
In Spain for example, the maximum fine for breach of Spanish data protection laws is 600,000 Euros. However, as multiple related breaches can result in multiple fines, the actual figure imposed on an organisation can be much higher. The most infamous example of this was the 1.08 million Euro fine imposed on Zeppelin TV, the Spanish producer of the "Big Brother" reality TV show for making salacious information about applicants available online. Typically the Spanish data protection regulator is rather more restrained, imposing relatively small fines from 900 to 40,000 Euros.
In Germany the maximum fine that can be imposed for breach of data protection law is 300,000 Euros. Again, multiple breaches can result in multiple fines so in theory the total fine imposed on an organisation for related events could be much higher. Each of the 16 German state data protection authorities has power to impose fines. Some of the highest fines to date include a 1.5 million Euro fine imposed on Lidl in 2009 for highly invasive monitoring of their employees. Deutsche Bahn was fined 1.1 million Euros for breaches of data protection laws arising from invasive screening of employees. HaSpa (the savings bank of Hamburg) was fined 200,000 Euros for transferring customer data to external service providers.
If the EU's reform proposals are adopted, companies could face far higher fines in future. The draft Data Protection Regulation introduces the requirement for data protection authorities to impose fines of up to 2% of a data controller's annual worldwide turnover which, if this becomes law, would be a huge increase to the maximum fines currently in place. In addition, as currently worded the draft Regulation would mandate the imposition of such fines rather than giving regulators discretion - something which the ICO has publicly criticised. Not surprisingly given the current economic climate, the draft Regulation does not provide for any additional resources for data protection authorities. Several regulators have questioned how they will be able to consider and impose appropriate fines given that their enforcement budgets are already stretched as it is. Whatever the final outcome of the draft Regulation, the trend is very clear: larger and more frequent fines are and will continue to be the norm for non-compliance with data protection laws.
Can fines be appealed?
Under Section 55b(5) of the DPA, an entity on which a monetary penalty is imposed may appeal either the very fact that a penalty was imposed or the level of the penalty to the Information Rights Tribunal. It is not clear on such an appeal whether the Tribunal will simply consider afresh what the appropriate penalty should be or whether it will amend the penalty only it is believes the decision of the ICO was outside the range of what could be considered appropriate.
The first appeal on the imposition of a financial penalty, being brought by Central London Community Healthcare NHS, which had a £90,000 penalty imposed on it in May, is due to be heard in early December this year.
How to avoid a monetary penalty notice
The ICO only imposes fines if the contravention is deliberate or if the data controller knew or ought to have known that there was a risk that the convention would occur and failed to take "reasonable steps" to prevent it. In practice, reasonable steps include:
- a risk assessment;
- appropriate policies and procedures;
- appropriate guidance to staff;
- good governance and/or audit arrangements in place to establish clear lines of responsibility for preventing contraventions;
- robust monitoring mechanisms; and
- adherence to relevant guidance or codes of practice.
In assessing whether reasonable steps have been taken the Commissioner will take into account the resources available to the data controller. For more information on the imposition of monetary penalty notices you can find the full ICO guidance here.
Other practical lessons for businesses
The Prudential fine demonstrates that the ICO is getting more active when imposing fines, and that serious breaches of any data protection principle - not just the security principle - expose a business to risk.
Aside from regulatory fines, arguably the far greater risk for a business is the damage that a public reprimand and fine from the regulator causes to its reputation. It is the risk of reputational damage and the many examples in the press of organisations who have suffered as a result of public compliance breaches which is rightly moving information management and security to the top of compliance agendas for organisations.
Mistakes happen and no compliance function or process, however perfect, can completely remove the risk of security breaches and other breaches of data protection laws occurring. However, as the Prudential case illustrates, organisations that cannot demonstrate that they have considered and taken appropriate risks to mitigate the risk of breach of their compliance obligations face an increasingly assertive regulator and the prospect of even greater fines down the track if the draft Regulation becomes law.
Marcos García-Gasco and Christina Motejl contributed to this article.