The Information Commissioner’s Office has been granted new enhanced powers
£500,000 fines proposed for serious data protection breaches
From 6 April 2010, it is intended that the Information Commissioner’s Office (“ICO”) will have a new power to fine companies up to £500,000 for serious breaches of the Data Protection Act 1998 (“DPA”). Following a public consultation, the Secretary of State for Justice has approved the maximum fine, is designed to address wilful breaches of the DPA.
Before deciding whether to impose the maximum penalty, the ICO must be satisfied that:
- the breach was sufficiently serious;
- the data controller knew (or should have known) that the breach may occur and that substantial damage and distress was likely to have been caused; and
- despite this, the data controller did not take reasonable steps to prevent the breach.
Discretion to assess the level of a fine will rest with the ICO and it has confirmed that it will take a pragmatic and proportionate approach. A company’s financial resources, sector and size will be considered to avoid financial hardship. There will be an appeal process to challenge the imposition, or size, of a fine.
Statutory guidance has also been produced to set out details of the circumstances in which fines will be issued by the ICO and how the level of fines will be determined.
Increased enforcement powers
The ICO is responsible for monitoring and enforcing compliance with legislation covering data protection. Following several high-profile data protection breaches in the private and public sectors, the Coroners and Justice Act 2009 (“CJA”) will amend the DPA to give the ICO new audit and inspection powers, including:
- the right to serve an “assessment notice” on a data controller to assess whether it is has complied or is complying with the data protection principles;
- where a data controller does not comply with the time scales or required period for compliance set out in an assessment notice, the ICO has been granted the power to apply for warrant to enter and inspect any premises stated in the notice.
The CJA amends the DPA to require the ICO to publish a code of practice on the use of assessment notices. In addition, the ICO is required to issue a code of practice on data sharing. This code will not have the force of law, but it will serve as a yardstick against which data controllers’ compliance with the data protection rules can be assessed.
A commencement date for these provisions has yet to be announced.
Commentary
The ICO has long campaigned for greater enforcement powers, on the back of its ongoing name and shame programme. Originally, it envisaged that such audit powers would apply only to public sector organisations. However, the new audit powers now extend to both public and private sector organisations.
In light of the proposed new and substantial penalties and the increased enforcement powers to be granted to the ICO, employers in all sectors should undertake health checks to review their data protection policies and practices. Employers must ensure that they are complying with the data protection principles on a day to day basis to minimise the risk of being fined for any such breaches should the ICO decide to visit an organisation, and exercise its audit powers, in the coming future.
Resources
The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010
The draft Data Protection (Monetary Penalties) Order 2010
ICO statutory guidance on monetary penalties
For further information or to discuss the issues raised, please contact Guy Abbiss (guy.abbiss@abbisscadres.com) or Colina Greenway (colina.greenway@abbisscadres.com) on +44 (0) 203 051 5711.
