New Penalties for Breach of Data Protection

Posted Fri, 28/05/2010 - 14:31

Jenny Armitage LLB

28/05/2010

Executive Summary

From 6 April 2010 the Information Commissioner’s Office (ICO) has new powers to impose penalties of up to £500,000 for serious breaches of one or more of the eight principles of data protection law. Anyone who processes personal data must comply with these eight principles, which were introduced to ensure organisations adhere to certain standards with regard to data processing. The aim of the eight principles is to protect personal data. The penalty for breach of any of these eight principles will correspond with the seriousness of the breach and will be intended to be a sanction and a deterrent against future breaches.

Background

The current law governing data protection in the UK is the Data Protection Act 1998[i] (DPA). The DPA seeks to ensure organisations controlling personal data deal with that data lawfully, fairly and transparently from the moment that the personal data is obtained, until its destruction or disposal.

Provisions introduced in the Criminal Justice and Immigration Act 2008[ii] will enable the ICO to impose substantial fines on organisations where there is evidence of reckless or deliberate data protection breaches.

The regime is underpinned by eight general data protection principles designed to ensure data controllers adhere to certain standards with regard to data processing.

New Penalties for Breach of Data Protection

The Eight Principles

Anyone who processes personal information must comply with eight principles, which make sure that personal information is:

1. Fairly and lawfully processed,

2. Processed for limited purposes,

3. Adequate, relevant and not excessive,

4. Accurate and up to date,

5. Not kept for longer than is necessary,

6. Processed in line with your rights,

7. Secure, and

8. Not transferred to other countries without adequate protection

The Penalties

The power to apply monetary penalties applies to all data controllers in the private, public and voluntary sectors. A monetary penalty notice cannot be imposed on a person who is not a data controller. For example, an employee of a company or a volunteer for a charity.

The ICO can only serve a monetary penalty notice where there has been a "serious contravention" of the eight principles of a "kind likely to cause substantial damage or substantial distress". In addition, the contravention must be either deliberate or reckless – that is, where the controller actually knew or should have known that there was a risk that such a contravention could occur and "failed to take reasonable steps" to prevent it. The maximum penalty is £500,000 per contravention.

The ICO will take an objective approach in considering whether there has been a serious breach of the eight principles. The presence of one or more of the following factors will make the imposition of a monetary penalty more likely:

Seriousness of the contravention – the duration or extent of the contravention, the nature of the personal data, or the number of individuals affected;
Likelihood of substantial damage or distress ;
Deliberate breach;
The date controller ought to have known there was a risk that such a contravention could occur – no risk assessment, no evidence that the data controller had taken steps to address any risks, or the data controller had no specific procedures in place which may have prevented the contravention.

The presence of one or more of the following factors will make the imposition of a monetary penalty by the Commissioner less likely:

The contravention was caused or exacerbated by circumstances outside the direct control of the data controller and the data controller had done all that it reasonably could to prevent contraventions of the Act.
The data controller has already complied with any requirements or rulings of another regulatory body in respect of the facts giving rise to the contravention (the Commissioner will endeavour to work closely with other regulators with a view to ensuring that multiple penalties are not imposed on a data controller for what is in effect a single failure).
There was genuine doubt or uncertainty that any relevant conduct, activity or omission in fact constituted a contravention of the Act.

Monetary penalties must be meaningful both as a sanction and a deterrent. The size and resources of a data controller are relevant to determining appropriate penalties. Controllers receiving a monetary penalty will receive a 20% early payment discount if they pay it within 28 days.

The size of the penalty

The factors which will govern this are not finite and will vary from case to case. However, some of the most relevant factors which the ICO will consider are:

The nature of the breach – The seriousness of the breach, whether the breach was a one-off or a series of similar breaches, extent of the breach, and whether the breach was caused by events outside the data controller’s control;
The effect of the breach;
Behavioural Issues – what procedures the data controller had in place to avoid the breach, what steps, if any, had been taken to avoid the breach, the actions of the data controller once they had become aware fo the breach, and whether there has been any offer of compensation from the data controller;
The impact on the data controller – The nature and size of the sector will be taken into account, the ICO will aim to eliminate any financial gain obtained from the data controller from the breach, and the ICO will take into account genuine proof of financial hardship.

The amount of the monetary penalty determined by the Commissioner cannot exceed £500,000.

Procedure

Once the level of a monetary penalty has been determined, the Commissioner must serve the data controller with a notice of intent before he can issue a monetary penalty notice. The notice of intent will set out the proposed amount of the monetary penalty.

The notice of intent must specify a period within which the data controller can make written representations to the Commissioner. This period must not be less than 21 days beginning with the first day after the date of service of the notice of intent.

Once this period has expired, the ICO will reconsider whether the amount is proportionate, ensure it is within the prescribed limit of £500,000, take into account any representations made by the data controller, and then either serve a monentary penalty notice or write to the data controller stating no further action will be taken.

The ICO may not serve a monetary penalty if a period of over 6 months has elapsed since the issue of a notice of intent.

The monetary penalty notice can be varied by the ICO. This can be by either reducing the amount to be paid (the ICO must repay any amount already paid in excess), or extending the time period in which the penalty can be paid. The monetary penalty notice can also be cancelled with a cancellation notice. Should this occur, the ICO must repay all amounts already paid.

Key Definitions

Personal Data – Information relating to living individuals

Data Controller – Person who processes personal information

Resources

http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/ico_guidance_monetary_penalties.pdf

[i] http://www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_1

[ii] http://www.opsi.gov.uk/acts/acts2008/ukpga_20080004_en_16#pt11-pb4-l1g144

Attachment	Size
New Penalties for Breach of Data Protection.pdf	399.95 KB

Getting Started

Fresh Pressed

New Penalties for Breach of Data Protection

Our Mission

Key Links