Regulations giving the Information Commissioner ("the IC") the power to impose financial penalties of up to £500,000 for serious breaches of the Data Protection Act 1998 have been introduced. The new powers are expected to come into force on 6 April 2010 and will only apply to contraventions occurring on or after 6 April 2010.
The prospect of a substantial fine means it is more important than ever for employers (in their role as 'data controllers') to make sure they are complying with the requirements of the Data Protection Act when handling 'personal data'.
Employers should ensure that they have carried out regular risk assessments or at least shown that they have recognised the risks of handling personal data and taken steps to address these. Audit arrangements should be in place to establish clear lines of responsibility for preventing breaches of the Data Protection Act. Appropriate data protection policies and procedures should be implemented, be up to date and reflect current guidance or codes of practice published by the Information Commissioner's Office (ICO).
The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 sets the maximum amount of a financial penalty at £500,000 for serious breaches of data protection principles by data controllers who are responsible for processing personal data.
Guidance issued by the ICO confirms that financial penalties will only be issued in the most serious cases where the breach has or is likely to cause substantial damage or distress. Furthermore the breach must either have been deliberate or must be such that the data controller knew or ought to have known there was a risk a breach would occur and took no reasonable steps to prevent it.
Although the maximum amount of any financial penalty issued is £500,000, the IC can issue financial penalties of lesser amounts and/or combine this with an enforcement notice in relation to the same breach. The nature of the data controller's business, as well as their size and financial resources will be taken into account by the IC when determining the level of the financial penalty to be imposed. However no type of business or organisation will be exempt from liability for a financial penalty.
The IC will first investigate the breach to establish that there has been a serious contravention of the data protection principles taking into account whether the breach was serious; caused substantial damage or distress and was deliberate and/or whether the data controller ought to have known about the risk that a contravention would occur. The ICO's guidance gives practical examples of what they consider to be a "serious" contravention or to have caused "substantial" damage or distress.
Once the IC has satisfied himself that he has the power to impose a financial penalty he will then consider whether a financial penalty should be issued and if so, the amount. Relevant factors include whether the breach was a 'one off' or part of a series, what procedures the data controller had in place to avoid the breach and what steps had been taken to deal with the breach once the data controller became aware of it.
The IC will then serve the data controller with a notice of intent setting out the proposed amount of the financial penalty. The data controller can make written representations within a specified period about the imposition of the fine. The IC will consider those representations and either serve the data controller with a financial penalty notice or inform them that no further action will be taken. A data controller can appeal the issue or amount of a financial penalty to the General Regulatory Chamber (First-Tier Tribunal).