The recent burst of legislation about penalties for breaches of data protection is worth noting. It heralds a much tougher enforcement requirement than has been in place for the fi rst ten years or so of the Data Protection Act.
In 2008, the Civil Justice and Immigration Act provided for the Information Commissioner to have powers to impose “civil penalties” on data controllers for serious breaches of their responsibilities under the Data Protection Act 1998. The Information Commissioner made much of the passing of the Act and ensured a hue and cry was made about it, but in fact the powers only come into effect when a Statutory Instrument is made and there was no evidence of such a Statutory Instrument at the time.
In October 2009, in what seems to be a co-ordinated move, the Information Commissioner published a consultation document on the powers that he is soon to be granted to award civil penalties of up to £500k; and the Ministry of Justice published a consultation on its proposal to use powers under the Civil Justice and Immigration Act 2008 to provide for a maximum penalty of two years in prison for criminally obtaining personal information from a data controller, such as the recent pillaging of T-Mobile’s customer list. The MoJ consultation is an incredibly swift response to a call by the Information Commissioner in September to introduce custodial sentences for what effectively is theft of personal information from data controllers. The Information Commissioner has used the T-Mobile affair to reinforce his demand that custodial sentences be available for data theft.
The background to these moves is fi rstly the case of Ian Kerr (who ran a database of over 300,000 construction workers used by the industry to avoid ‘so-called’ troublemakers) and secondly a continuing stream of enquiry agents who have appeared before the courts for the surreptitious acquisition and handling of data tricked out of data controllers. Mr Kerr’s transgression would not have seen him going to prison even under the new regime. The Magistrates sent Kerr to the Crown Court to ensure he had the stiffest possible sentence. He was fi ned £5k for failing to register as a data controller. However, in contrast to that he could (in theory) have been subject to an enormous fi nancial penalty from the Information Commissioner had the new powers been available to him at that time. Cases of unlawful obtaining of personal data used to be rife in the enquiry agent industry and have occurred regularly with people moving jobs and taking their previous employer’s customer list with them when they move. It has long been prudent to instruct enquiry agents expressly to remain within the data protection legislation when conducting their enquiries.
Cases of data controllers acting in breach of the Data Protection Act are much more frequent than data theft, as is shown by the blizzard of cases where unencrypted personal data has been mislaid. The Information Commissioner looked on with envy at the separate powers of the FSA to levy substantial fi nes on regulated persons who disclosed or lost their customers’ data. It is the Information Commissioner’s powers under Section 55A of the Data Protection Act that are going to be the most widely used of these new penalties. In order to exercise his power to levy a civil penalty, the Information Commissioner has to be satisfi ed that there has been a serious breach of the data protection principles set out in Schedule 1 of the DPA.
It is just as well that the Information Commissioner is consulting on the guidance that he is giving, because the interpretation set out in the guidance is far from clear. Various parts of the Information Commissioner’s powers are dealt with out of order and at one point a term is defi ned that is not even used in the Act.
This being data protection,1 there is no surprise that the guidance is lengthy, but that is no reason for repeating the same information several different times in somewhat different words. Indeed, it would appear that whoever drafted the document has not fully understood the Information Commissioner’s duties. The details of the process which the Information Commissioner must follow in determining a penalty is to be laid out in a draft Statutory Instrument on which the guidance comments. Strangely, although the Information Commissioner is consulting on the guidance he is giving about these draft Regulations, they are not available, so it is impossible to tell whether the guidance accurately refl ects the powers and duties the Regulations will give him.
Broadly, the Information Commissioner will investigate a breach and make an assessment of its seriousness. He will establish whether there are any mitigating or aggravating factors and once he has decided to issue a civil penalty, he will send a Notice of Intent to the data controller. This will set out the Information Commissioner’s assessment of the case against a statutory criteria and inform the data controller of the amount of the proposed penalty. The data controller then has 28 days to make representations to the Information Commissioner (this time may be extended by the Information Commissioner). If representations are made to the Information Commissioner, he has a duty to look at them and reassess the penalty. The Information Commissioner may then issue the penalty notice, which again has to set out the details of how he arrived at his decision, and this will be publicised on the Information Commissioner’s website.
A period of at least 28 days must be allowed for payment of the penalty and there will be an early payment discount of 20%. If not paid or appealed, the penalty may be enforced by court action, as if it were a Court Order. An appeal against a civil penalty can be made to the Information Tribunal. How to do this has to be set out in the penalty notice, but the detail is non-existent at the moment. We presume that the period for appeal will be at least the 28 days in which payment must be made. As the Information Tribunal is itself undergoing a transformation into a division of the Tribunal Service, a new monolithic structure covering all the many Tribunals which exist under English and UK law, there would seem to be plenty of room for delay before this new structure is up and working.
Make no mistake, a civil penalty is a fancy expression for a fi ne. Any money recovered by the Information Commissioner, acting as prosecutor and judge, is to be paid over to the Treasury. It is the Information Tribunal which will be the protector of the right to a fair hearing required by Human Rights law.
The draft guidance appears to show a lack of understanding at the Information Commissioner’s offi ce about the powers he is shortly to acquire. Using personal data is already a minefi eld, in which data controllers have to take balanced decisions on how to make use of the personal data they have. It is unfortunate that the guidance uses some 16 pages to explain a statutory section which is written in plain English on half a page, yet leaves the reader little the wiser. This fi rm will be making a submission in the hope that it can assist in resolving some of these defects.