Background

The Data Protection Act (DPA) empowers the Information Commissioner to issue monetary penalty notices. Additionally, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 empowered the Information Commissioner to use monetary penalty notices for breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the Regulations). The ICO is therefore consulting on revisions to its guidance on monetary penalties first published in 2010.

Circumstances Where a Penalty is Appropriate

Under the DPA and Regulations, the Information Commissioner may issue a monetary penalty notice up to a maximum value of £500,000 if

  • There has been a serious contravention of the DPA by the ata controller or of the Regulations by a person.
  • The contravention was likely to cause substantial damage or substantial distress and either
    • Was deliberate, or
    • The data controller or person knew, or ought to have known, that there was a risk that the contravention would occur, and that it would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent it.

The draft guidance includes amongst other things examples of circumstances where the Information Commissioner may consider it appropriate to issue a monetary penalty notice.

For a serious contravention of the DPA these include:

  • The failure by a data controller to take adequate security easures, resulting in the loss of a disk holding personal data
  • The loss of medical records containing sensitive personal data, following a security breach by a data controller during an office move.

For a serious contravention of the 2003 Regulations, examples include: i) making a large number of automated marketing cold calls causing distress and anxiety to recipients, ii) systematic failings to record and respect marketing objections that lead to an organisation persistently sending marketing faxes to recipients who have objected, and iii) a person covertly tracking an individual’s whereabouts using mobile phone location data.

Reasonable Steps

The Commissioner is more likely to consider that a person has taken reasonable steps to prevent the contravention if any of the following apply:

  • A risk assessment was carried out
  • There were good governance and/or audit arrangements in place to establish clear lines of responsibility
  • Relevant policies/procedures are established
  • Relevant guidance or codes of practice are implemented

Substantial Damage or Substantial Distress

The Commissioner will assess the likelihood and extent of damage or distress objectively, considering whether it is “merely perceived or of real substance”. Note that the totality of the damage or distress suffered by a number of individuals can be substantial, even if individually it isn’t. Thus distress and anxiety caused to a large number of individuals who receive repeated automated marketing calls, particularly where the identity of the caller is concealed so complaining is difficult, would be substantial.

Deliberate Contravention

An example of a deliberate serious contravention under the Regulations would include a company sending marketing text messages to subscribers who have not consented to receiving them, in order to encourage them to send opt-out requests to a premium rate short code.

Knew or Ought to Have Known

The test is objective and the guidance says that the Commissioner will expect the standard of care of a reasonably prudent person. This would include where a company that makes numerous marketing telephone calls is aware that the system it uses for blocking calls to numbers registered with the Telephone Preference Service may develop a fault but continues to make calls without assessing the likelihood of the fault occurring and the implications if it does.

Appropriate Penalty

Broadly, the Commissioner will seek to ensure that the financial penalty notice is appropriate and that the amount of he penalty is reasonable and proportionate given all the facts of the case and the underlying objective (deterrence and sanction). In deciding, the Commissioner will take into account the facts of the contravention and any representations made.