The UK Government has announced that new powers to impose fines of up to £500,000 for serious breaches of the Data Protection Act 1998 (DPA) will come into force on 6 April 2010. The penalty can be imposed by the Information Commissioner’s Office (ICO) and will apply to serious breaches of the data protection principles under the DPA which are likely to cause substantial damage or distress, and which are committed deliberately or recklessly.
Getting data protection right has never been more important than it is today. Now is the time for data controllers to assess and/or modify their current practices and procedures which involve data protection compliance. The stakes are higher than ever before for data controllers, as the new fine could have potentially serious monetary and/or reputational repercussions for any organisation.
This monetary penalty has been introduced in response to a series of high profile data security breaches in both the public and private sector. The tougher sanctions for breaches of the DPA will significantly increase the ICO’s (currently very limited) enforcement powers.
There were proposals for operating a system whereby fines would be based on a percentage of an organisation’s turnover akin to that used by other regulators such as the Financial Services Authority (FSA). However, these proposals were abandoned following discussions with the ICO and taking into account the greater administrative burden involved in operating a turnover-based system.
Some have argued that despite the maximum fine being raised from £5,000 to £500,000 the cap is still too low for larger data controllers when compared with fines imposed by the FSA, on the larger entities it regulates, for data breaches in the financial services sector.
The difference between potential fines for data protection breaches between regulated and non-regulated entities has always been marked. The concern going forward for regulated entities is the prospect of being open to fines for such breaches not only by the FSA itself but also by the ICO. In the past this may not have been so material but the increase in the level of fine will inevitably change this for some entities. Luckily the ICO has taken a pragmatic approach and said that it will work with the FSA to avoid regulated entities being fined twice – in other words there is little risk of “double jeopardy”.
The ICO has published statutory guidance explaining how it will use its new powers and how organisations can ensure compliance. In particular, the guidance explains the procedural aspects of the new sanction, the circumstances in which the Commissioner would consider it appropriate to issue a monetary penalty notice, practical illustrations of each of the key elements of the legal test, and factors the ICO will take into account when determining the amount of the penalty.
Although the Commissioner has stated that he will not hesitate to use the new monetary penalties for the most serious cases, responsible data controllers who follow good data protection practices should have little to fear.
The guidance is a useful tool for data controllers to check that all of the appropriate and relevant good practice measures are implemented in order to avoid incurring a fine.
Whilst the monetary penalties have now been clarified the Government consultation is still ongoing in relation to the introduction of custodial sentences for obtaining personal data unlawfully. These proposals were introduced in parallel with the new monetary penalties, but the Government is yet to confirm its position on custodial sentences. Following the increase in fines in April, it is probable that the next material change to data protection law in the United Kingdom will be the introduction of punishment of up to two years’ imprisonment for any person found guilty of obtaining personal data unlawfully. The enforcement of data protection in the United Kingdom continues to become more personal.