With effect from 6 April 2010, the Information Commissioner’s Office will have the power to impose financial penalties for serious contraventions of the data protection principles which underpin the Data Protection Act 1998 (the Act).
Following a consultation period where maximum penalties ranging from £50,000 to £2.5 million were considered, a maximum monetary penalty of £500,000 has been set.
The power to impose monetary penalties applies where:
- there has been a serious contravention of one of the data protection principles (personal data must be processed fairly and lawfully…, personal data shall be obtained only for one or more specified and lawful purpose….etc); and
- the contravention was of a kind likely to cause substantial damage or distress; and
- the data controller contravened deliberately or knew or ought to have known that there was a risk contravention would occur and that it would be likely to cause substantial damage or distress and failed to take reasonable steps to prevent the contravention.
It should be noted that there are a number of procedural steps before the penalty can be imposed, including an opportunity to make representations as to why the penalty should not be imposed and a right to appeal to the Information Tribunal.
The Information Commissioner has also published statutory guidance as to how he proposes to exercise these new powers and it is clear from the guidance that the Information Commissioner intends to use the powers to promote compliance with the Act (i.e. as a deterrent against non-compliance) and that data controllers with substantial financial resources are likely to attract higher monetary penalties than smaller entities for the same contravention.
We believe that the Information Commissioner will use this power quickly following its introduction in April 2010 and that larger organisations will find it difficult to resist the imposition of a monetary penalty (and the negative publicity associated with being one of the first organisations fined under these new powers) where their practices and systems are materially inadequate at the time of data breach that comes to the Information Commissioner’s attention.
Finally, it should be noted that these powers can be used where there is a serious breach of any of the data protection principles. Although the press has focused on data security breaches in the recent past, other areas such as processing without grounds or adequate consent are also likely to be sanctioned under these powers.