Corporate executives and management do not often list data protection as a key area of risk for business. More often that not data protection is viewed as a low risk compliance issue with a loud bureaucratic bark but little real bite.
Two recent data protection related cases in the United Kingdom highlight the differences between the levels of penalty currently levied on regulated and unregulated entities in relation to non-compliance with data protection obligations. Although the regimes currently are materially different this is very likely to change with the coming into force of new legislation in early 2010. The regime change will affect all entities that are data controllers under the Data Protection Act 1998 (DPA). This will include US and other international entities that have no establishment in any other European Member State and use equipment in the United Kingdom for processing personal data.
Financial Services Authority
In the United Kingdom regulation of the financial services industry is overseen by the Financial Services Authority (FSA). The FSA is empowered to impose penalties in “such amount as it considers appropriate” where an authorised person has contravened a requirement imposed by or under the Financial Services and Markets Act 2000. The FSA’s Principles for Business constitute such a requirement. Principle 3 states that “a firm [organisation] must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems”. This Principle can be applied to the organisation’s data protection obligations.
Between 2004 and 2008 the FSA levied approximately £1.8 million in fines for failings relating to data security lapses and fraud. In 2009 alone the FSA has levied fines totalling over £3 million and which would have exceeded £4.5 million had they not been reduced to reflect the co-operation of the organisations involved.
These fines resulted from the discovery by the FSA that, despite having data protection policies and procedures in place, organisations were not complying with them in practice. In its investigations the FSA found in one instance that large amounts of unencrypted personal information had been sent via mail or courier to third parties. In another, customers’ confidential information was routinely left unsecured on open shelves or in unlocked cabinets. It was also found that staff were not given sufficient training on how to identify and manage risks like identity theft. Although the FSA could not show that these practices had led to any actual loss being suffered by those whose personal data was at risk, the FSA found that the organisations had failed to put in place adequate procedures to manage the risk of financial crime and issued the fines.
In addition to the fines levied, other sanctions included mandatory training programmes on information risk training for staff and annual data protection refresher courses. For one organisation it has also resulted in the introduction of compulsory encryption of all electronic data transfers.
Information Commissioner’s Office
In 2008 the UK’s Information Commissioner’s Office (ICO) conducted an investigation into a private firm, The Consulting Association, and the individual that ran it, Ian Kerr. The investigation revealed that for over 15 years Mr Kerr had been running a database of construction workers used by over 40 construction companies containing personal information, including names, dates of birth, national insurance numbers, locations and trades. The database also included sensitive personal data such as individuals’ trade union activity. The individuals whose personal data was on the database were not aware of the existence or use of the database.
The investigation revealed that approximately 40,000 checks on individuals were undertaken by Mr Kerr’s company during 2008 at the request of member companies who subscribed to Mr Kerr’s system for a £3,000 annual fee.
Mr Kerr did not provide the individuals whose personal data was on the database with the standard information required by the DPA of a data controller, such as his identity and the purpose for which data is intended to be processed. By doing so, in the ICO’s view, Mr Kerr contravened the First Data Protection Principle in that he had processed personal data unfairly. Currently there are no punishments available for breaches of the Data Protection Principles, which is why the ICO chose only to prosecute Mr Kerr for failing to notify as a data controller. Mr Kerr was duly prosecuted and fined £5,000.
The fine imposed in this case was the statutory maximum for the offence. In light of the potential damage caused to those that may have been refused employment on the basis of the personal information held by Mr Kerr this sanction may be deemed wholly inadequate. The outcome of this case highlights the current limitations of the ICO dealing with DPA breaches.
These cases evidence the gulf that exists between the enforcement powers of the FSA and those of the ICO. This is heightened by the fact that the FSA is currently consulting on proposals to change its policy on the determination of appropriate financial penalties in enforcement cases. The intention is to improve the transparency and consistency of the FSA’s penalty-setting process, but also to increase penalties. This could lead to fines of up to 20 per cent of turnover for the most serious breaches. The aggressive position taken by the FSA reflects its focus on data security and the fact that confidentiality is seen as a foundation for customer confidence in the financial services sector.
In order to address the imbalance between the regulated financial services sector and the unregulated sector administered by the ICO there are a number of proposals currently in the UK Parliament that will affect all data controllers in the UK. The first proposal is the introduction of a maximum two year custodial sentence for the “knowing or reckless misuse of personal data”; in addition the ICO will able to penalise those who deliberately or recklessly breach the Data Protection Principles and the level of fines that the ICO can levy is set to increase dramatically. The exact level of the fines has not been set yet but it is likely that the ICO may follow the FSA’s lead. Those data controllers that are FSA regulated may face actions from both the FSA and the ICO concurrently each of which could result in a material fine. It is expected that these proposals may be in force by April 2010.
The threat of custodial sentences and the potential for 20 per cent of annual turnover being forfeited in the event of serious data protection breaches means that the UK’s data protection regime will soon have a bite to match its bark. For all organisations who hold any personal data, it will be prudent to review current data protection policies and practises before April 2010.