In May 2008, the UK legislature introduced provisions allowing the Information Commissioner to impose monetary penalties for serious contraventions of the data protection principles which underpin the Data Protection Act 1998.
It has been a long wait for the detailed enabling secondary legislation, but following a consultation period where maximum penalties ranging from £50,000 to £2.5 million were considered, a maximum monetary penalty of £500,000 has been set. This power is due to come into force on 6 April 2010 (provided that there are no further amendments when it is debated in Parliament in February).
The power to impose monetary penalties applies where:
- there has been a serious contravention of one of the data protection principles (personal data must be processed fairly and lawfully…, personal data shall be obtained only for one or more specified and lawful purpose….etc); and
- the contravention was of a kind likely to cause substantial damage or distress; and
- the data controller contravened deliberately; or
- the data controller knew or ought to have known that there was a risk contravention would occur and that it would be likely to cause substantial damage or distress and failed to take reasonable steps to prevent the contravention.
It should be noted that there are a number of procedural steps before the penalty can be imposed, including an opportunity to make representations as to why the penalty should not be imposed and a right to appeal to the Information Tribunal.
The Information Commissioner has also published statutory guidance as to how he proposes to exercise these new powers: click here for further details.
It is clear from the guidance that the Information Commissioner intends to use the powers to promote compliance with the Act (i.e. as a deterrent against non-compliance) and that data controllers with substantial financial resources are likely to attract higher monetary penalties than smaller entities for the same contravention.
We believe that the Information Commissioner will use this power quickly following its introduction in April 2010 and that larger organisations will find it difficult to resist the imposition of a monetary penalty (and the negative publicity associated with being one of the first organisations fined under these new powers) where their practices and systems are materially inadequate at the time of data breach that comes to the Information Commissioner’s attention.
Finally, it should be noted that these powers can be used where there is a serious breach of any of the data protection principles. Although the press has focused on data security breaches in the recent past, other areas such as processing without grounds or adequate consent are also likely to be sanctioned under these powers.
If you require more information or training on key data privacy areas where non-compliance is likely for your business please contact us.