The United Kingdom’s Information Commissioner’s Office (ICO) is committed to enforcing the Data Protection Act 1998 (DPA) and has the right to impose fines of up to £500,000 for serious breaches. With the level and number of fines increasing in the last year in the United Kingdom, in line with a European trend, ensuring compliance with the DPA has never been more important.
The DPA, which came into force on 1 March 2000, provides the ICO with a number of tools to change the behaviour of organisations and individuals who collect, use and keep personal information. These tools include criminal prosecution, non-criminal enforcement and audits. The ICO also has the power to serve a financial penalty notice, requiring payment up to £500,000 for serious breaches of the DPA occurring on or after 6 April 2010, or serious breaches of the Privacy and Electronic Communications Regulations occurring on or after 26 May 2011.
A financial penalty will only be appropriate in the most serious situations. When deciding the amount of a penalty, the ICO takes into consideration the seriousness of the breach and other relevant factors including the size, finances and other resources of the data controller.
Examples of Penalties
The f irst two financial penalties were issued in November 2010 to Hertfordshire County Council (employees in the childcare litigation unit accidentally sent faxes to the wrong recipients on two separate occasions) and A4e Limited (which lost an unencrypted laptop that contained personal information) for the amounts of £100,000 and £60,000 respectively. Since then, the ICO has issued more than 20 financial penalties ranging from £60,000 to £325,000. The largest penalty served so far was levied on Brighton and Sussex University Hospitals NHS Trust on 1 June 2012 following the discovery on hard drives sold on an online auction site of highly sensitive personal data belonging to tens of thousands of patients and staff, including information relating to HIV and Genito Urinary Medicine patients.
Significant penalties issued by the ICO since 2011 include
- A £250,000 penalty issued on 11 September 2012 to Scottish Borders Council after former employees’ pension records were found in an overfilled paper recycle bank in a supermarket car park.
- A penalty of £175,000 issued on 6 August 2012 to Torbay Care Trust after sensitive personal information relating to 1,373 employees was published on the Trust’s website.
- A penalty notice of £150,000 served on 5 July 2012 to Welcome Financial Services Limited following the loss of the personal data of more than half a million customers.
- A penalty notice of £225,000 served on 19 June 2012 to Belfast Health and Social Care Trust following a serious breach that led to the sensitive personal data of thousands of patients and staff being compromised. One of the behavioural issues taken into account by the ICO was the fact that the Trust failed to report the incident.
- A penalty of £100,000 issued on 13 February 2012 to Croydon Council after a bag containing papers relating to the care of a child sex abuse victim was stolen from a London pub.
- A penalty of £140,000 issued on 30 January 2012 to Midlothian Council for disclosing to the wrong recipients sensitive personal data relating to children and their carers on five separate occasions. The penalty was the first against an organisation in Scotland.
- A penalty of £130,000 issued on 6 December 2011 to Powys County Council after the details of a child protection case were sent to the wrong recipient.
- A penalty of £120,000 issued on 9 June 2011 to Surrey County Council after sensitive personal information was e-mailed to the wrong recipients on three separate occasions.
These examples show the increasing value of the fines, from £120,000 in June 2011 to £250,000 in September 2012.
The increasing level of fines imposed by the ICO in the United Kingdom appears to be in line with a European trend.
Germany has been at the forefront of privacy law developments for the last few years. In 2009 the German Federal Data Protection Act (the BDSG) was amended to introduce a stricter enforcement regime, increasing to €300,000 the maximum fine for each instance of unlawful processing of personal data. In November 2010, the Hamburg data protection authority (DPA) imposed a €200,000 fine against Hamburger Sparkasse, a savings and loans company, for using neuromarketing techniques without customer consent. The Hamburg DPA determined that the disclosure of bank account data to external consultants and the creation of customer profiles for targeted promotions constituted a serious breach of the BDSG, warranting the considerable €200,000 fine. The fine may well have been even higher had the bank not cooperated rapidly and made a strong commitment to comply with data protection law in the future.
Now other European territories are following suit. The Garante per la Protezione dei Dati Personali (the Guarante), the Italian data protection authority, released a new set of data breach notification rules on 7 August 2012. These rules require that all telecommunications and internet service providers notify the Guarante within 24 hours of discovering a data breach. In the most serious cases, individual users must also be notified within 72 hours. Entities that fail to make the required notifications can be fined between €25,000 and €150,000.
In the same month, Portugal also announced a new law requiring electronic communication service companies to similarly notify the Portuguese data protection authority, the National Data Protection Commission, of breaches “without unjustified delay”. Notifications must also be made to end users if the breach could affect them negatively, unless the entity can show that it has adopted “adequate technological protection measures”.
Violations can lead to significant fines of between €5,000 and €5 million.
The move towards increased penalties for breaches of data privacy is highlighted by proposals for reform of the EU data protection law. In January 2012, the European Commission published its long-awaited proposals, and the main aspect of the reform is the draft Data Protection Regulation that would replace the Data Protection Directive (95/46/EC) on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The new law, expected to come into effect by the end of 2013, has hit the headlines because, amongst other things, the fines for breach will be significantly greater than at present. Written warning will be issued in cases of first and non-intentional failures to comply, followed by fines of up to €1 million, or a staggering 2 per cent of annual worldwide turnover for international businesses, depending on the seriousness of the breach and circumstances of the case.
According to the ICO, the number and size of financial penalties issued should compel individuals and organisations to take better care of personal data. It is clear the ICO will not shy away from using its powers to impose high penalties where there have been serious breaches of data protection law. Moreover, the new EU data protection law, when adopted, will increase the potential consequences for failing to treat data privacy as a key compliance issue for all businesses.