In October 2009, Christopher Graham, the newly appointed Information Commissioner, addressed a data protection conference in Edinburgh and assured the audience that he was prepared to supplement the traditional "carrot" approach to data protection enforcement, by bringing the "big stick" out of the cupboard. The message was clear: those found responsible for some of the worst breaches of the Data Protection Act 1998 could in future expect to face tougher enforcement action.
Further significance was given to his words in April 2010 when new powers were introduced, allowing him to fine data controllers up to £500,000 for serious breaches of the data protection principles. (These eight principles are contained in Schedule 1 to the Data Protection Act, and ensure that personal data are used fairly, lawfully, and securely, for example to minimise damage to individuals.)
These measures were designed to redress the situation where serious breaches of the data protection legislation resulted in minor (or even no) penalties – a situation which was further exacerbated when contrasted with the wide-reaching powers of other bodies, such as the FSA, for levying significant fines for data losses.
The power to levy a monetary penalty was inserted into the Data Protection Act as section 55A, by section 144(1) of the Criminal Justice and Immigration Act 2008, s 144(1)). In terms of the new s55A, the Information Commissioner can issue a monetary penalty notice where he is satisfied that:
- there has been a serious contravention of section 4(4) of the Data Protection Act 1998 by the data controller,
- the contravention was of a kind likely to cause substantial damage or substantial distress;
- the contravention was deliberate; and
- the data controller failed to take steps to prevent the contravention, despite knowing (or where it ought to have known) that there was a risk of a breach, and that the breach would be likely to cause substantial damage or substantial damage or distress.
Substantial damage or distress will arise where the data subject suffers in a tangible way (for example, through identity theft) or through anxiety and worry, even if his concerns do not come to pass.
These powers have now been put use for the first time, with the announcement today that the Information Commissioner has fined two data controllers for significant breaches of the data protection principles.
Hertfordshire County Council has been fined £100,000 for two incidents (which happened within two weeks of each other), where employees faxed highly sensitive details to the wrong recipients. The information in question related to child sexual abuse and to care proceedings, both of which had the clear potential to cause serious damage to the subjects of the information. Sending such sensitive personal data by fax, and failing to ensure its security, is a clear breach of the first and seventh data protection principles.
The second monetary penalty was imposed on A4e, an employment services company, for the loss of a laptop, containing unecrypted personal data relating to 24,000 people. The penalty imposed here was £60,000. Again, the loss of unsecured data is a breach of the seventh data protection principle, which requires "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."
In both cases, the data controllers at fault reported the losses to the Information Commissioner, which is a positive step in addressing the serious breaches. Nevertheless, the breaches were significant and the fact that the Information Commissioner now has the power to impose meangingful penalties is a welcome development in establishing a strong commitment to protecting personal data in the UK.