Fines For Serious Breaches Of Data Protection Now £500,000

The Data Protection Act 1998

19.01.2010

On 12 January 2010, the government published its response to the public consultation" Civil Monetary Penalties – Setting the maximum penalty".

This consultation, which was launched on 9 November 2009 and closed on 21 December 2009, proposed the introduction of a maximum civil monetary penalty that may be imposed by the Information Commissioner for serious breaches of the Data Protection Act.

The Data Protection Act 1998 defines UK law on the processing of data relating to identifiable living people and is the main piece of legislation governing the protection of personal data in the UK.  Anyone holding or processing personal data (known as a data controller) must handle the personal data in accordance with the data protection principles.  In broad terms, if you collect or hold information about an identifiable living individual or if you use, disclose, retain or destroy that information, you are likely to be processing personal data and are legally obliged to comply with the Data Protection Act, although there are some exemptions.  The Act sets out eight data protection principles for the processing of personal data:

  1. It must be processed fairly and lawfully and, must satisfy:
  2. a) At least one of a number of specific conditions; and
    • b) In the case of sensitive personal data, at least one of a number of additional conditions must be met;
    • 2) It must be obtained only for specified and lawful purposes, and must not be further processed in any way incompatible with that purpose;
  3. It must be adequate, relevant and not excessive in relation to the purpose for which it is processed;
  4. It must be accurate and, where necessary, the data must kept up to date;
  5. Data must not be kept for longer than is necessary;
  6. Data must be processed in accordance with the data protection rights granted under the DPA;
  7. Appropriate technical and organisational measures must be taken to guard against unauthorised or unlawful processing of personal data and accidental loss, destruction or damage; and
  8. Data must not be transferred outside the European Economic Area unless the country to which it is transferred adequately protects the rights of the data subject(s) in relation to the processing of their personal data.

Section 55A of the Data Protection Act imposes monetary penalties for serious breaches of the data protection principles.  The government has now proposed that the maximum amount that the Information Commissioner will be able to impose will be increased to £500,000.

During its consultation, the Government received 52 responses 27 of which agreed that £500,000 was the right maximum fine.
 
On 12 January 2010, new Regulations were laid before Parliament to create the necessary legal framework to give the Information Commissioner the authority to impose the £500,000 penalty for serious breaches of the Data Protection Act.  The Information Commissioner will be able to impose the penalty if he is satisfied that there has been:

  1. A serious contravention by the data controller of the data protection principles; and
  2. That the contravention was of a kind likely to cause substantial damage or distress.

Such contraventions must be either deliberate or something which the data controller knew (or ought to have known) would occur and that they would be likely to cause substantial damage or distress, but which he failed to take reasonable steps to prevent.

The relevant pieces of legislation currently before Parliament and due to come into force are:

  • The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010; and
  • The Data Protection (Monetary Penalties) Order 2010

The Information Commissioner, Christopher Graham, said: "These penalties are designed to act as a deterrent and to promote compliance with the Data Protection Act.  I remain committed to working with voluntary, public and private bodies to help them stick to the rules and comply with the Act.  But I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law".

Michael Wills, who is the Justice Minister, said: "Civil Monetary Penalties of up to half a million pounds will ensure that the Information Commissioner is able to impose robust sanctions on those who commit serious contraventions of the data protection principles.  Most data controllers do comply with the principles but since misuse of even small amounts of personal data can have very serious consequences, it is vital that we do all that we can to prevent non-compliance. Penalties of up to £500,000 will act as a strong deterrent".

The Ministry of Justice has confirmed that, depending on Parliamentary approval, the new monetary penalties regime will come into effect on 6 April 2010.

For a full explanatory memorandum of the new legislation, please click on the following link: http://www.opsi.gov.uk/si/si2010/draft/em/ukdsiem_9780111490723_en.pdf.

Should you require data protection advice or information, our lawyers can advise, defend and represent you (in an individual or corporate capacity) in relation to alleged Data Protection breaches - whether criminal or regulatory.  We can also advise in relation to the use of Information Commissioner's Office ("ICO") powers.  We have specialist lawyers who provide a nationwide network through our offices in Birmingham, Leeds, London, Manchester and Sheffield.

For an initial discussion, with no obligation, call Sarah Wallace  on 0207 421 3883 or Dan Stowers on 0114 274 4295.