The dawn of another year ahead of us presents the conventional opportunity to commit to changing one’s ways and abandoning bad habits. So what laudable goal is fitting of not only a new year, but also a new decade? While ‘lose weight’, ‘quit smoking’ and ‘get fit’ are often popular choices, changes afoot in the world of data protection law push ‘save money’ and ‘stay out of jail’ rather further up the priority list.
Even in the season of merriment, regulatory fines can pose a sobering prospect. The FSA’s ‘Principles for Businesses’ require that an organisation takes “reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems” or else face a fine levied by the FSA. This principle extends to maintaining the security of customer data, as was made readily apparent by the fines exceeding £3 million levied on financial services businesses for data mishandling in 2009 alone.
The risk of financial penalties being imposed by the FSA for data security lapses is nothing new. However, the FSA has indicated that in the first quarter of 2010 it will publish the results of its recent financial penalties consultation, which could well see the level of penalties significantly increase next year (possibly even triple), together with the amount of FSA enforcement action.
As if that wasn’t enough to put you off your festive turkey, as of April 2010, you could be fined twice for customer data mismanagement, when the Information Commissioner’s Office receives its long sought after powers under Section 55A of the Data Protection Act 1998. Section 55A has been on the statute book for quite some time now (having been introduced by the Criminal Justice and Immigration Act 2008), but although currently dormant, publication of the Ministry of Justice’s final impact assessment in November 2009 is likely to mean that it will come into effect in 2010.
Section 55A empowers the ICO to levy fines on organisations who knowingly or recklessly commit serious breaches of any of the data protection principles, where substantial damage or distress is likely. These principles relate not only to data security but also to matters such as data retention, accuracy and fair processing - and financial services businesses would do well to ensure that they are aware of the ICO’s latest guidance on each of these matters. While the Ministry has considered maximum fines of £2.5 million or even setting them at 10% of the organisation’s turnover, it now looks more likely that a £500,000 option will be chosen.
The Ministry is also currently consulting on the introduction of custodial sentences in 2010 for infringement of Section 55 of the Data Protection Act. This section makes it a criminal offence to knowingly or recklessly obtain or disclose personal data without the consent of the data controller. While ‘blagging’ (as the offence is colloquially known) is more often suffered by, rather than committed by, financial services personnel, the proposed change in penalties highlights the need for care when instructing external parties in relation to debt collection and other such matters.
So as we see out the first decade of the millennium, make a New Year’s resolution worth sticking out: save money and stay out of jail!