Data Protection: the new ‘Monetary Penalties’: Businesses Beware!
On 6th April, 2010, new powers were given to the Information Commissioner (the guardian of personal data), to impose ‘monetary penalties’, on data controllers, who do not comply with ‘the Data Protection Principles’, pursuant to the new sections of the 1988 Act: ss 55A – 55D of the Data Protection Act 1998.
Under s 55A of the 1998 Act, the Information Commissioner, in deciding whether to serve ‘a monetary penalty notice’ upon a data controller, has to satisfy himself of the following:
(i) ‘a serious breach of the data protection principles’, by the data controller has occurred;
(ii) the breach was such that it was ‘likely to cause substantial damage or substantial distress’; and
(iii) the breach was either: (a) ‘deliberate’, or (b) that the ‘risk’ of a breach of the type referred to, was ‘known’ or should ‘have [been] known’, and there was a failure to take ‘reasonable’ preventative action.
(See s 55A((1)-(3) of the Data Protection Act 1998)
Size of Penalty
The amount of the penalty cannot exceed £500,000 (see s 55A(4) of the 1998 Act and reg 2 of the Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 (SI 2010 No 31)). Payment of the penalty is ‘to the Information Commissioner’, within the time period stated ‘in the notice’. [S 55A(6) of the 1998 Act].
The ‘prescrbed’ ‘information’, required in the notice, under s 55(7) of the 1998 Act, is set out in reg 4 of the 2010 Regulations (above).
‘Notice of Intent’
As a preliminary procedure, ‘a notice of intent’ has to be served on ‘the data controller’, by the Information Commissioner: see s 55B of the 1998 Act. The purpose of this notice is to give ‘the data controller’ a chance to ‘make representations’ to the Information Commissioner, before an actual ‘penalty notice’ is issued: see ss 55(3), (4) of the 1998 Act. Under s 55B(5) of the 1998 Act, a data controller has a right of ‘appeal to the Tribunal’ (this is either ‘the First-tier Tribunal’ or ‘the Upper Tribunal’: see article 2(3) of the Transfer of Tribunal Functions Order 2010 (SI 2010 No 22)).
‘Guidance’ Regarding Monetary Penalties
Under s 55C of the 1998 Act, there is a requirement that the Information Commissioner ‘prepare[s] and issue[s] guidance’ regarding ‘how he proposes to exercise his functions’ concerning ‘monetary penalties’ and ‘notices of intent’: see s 55C(1) of the 1998 Act. Included in ‘the guidance’ there has to be statements concerning:
‘(a) the circumstances in which’ the Information Commissioner ‘would consider it appropriate to issue a monetary penalty’; and
(b) how the size of the penalties will be determined
(See s 55C(2) of the 1998 Act).
This guidance can be changed or ‘replaced, which the Information Commissioner has to ‘issue’: see s 55C(2) of the 1998 Act. However, there is a requirement that before ‘guidance’ is issued by the Information Commissioner (which, seemingly, includes changed or ‘replacement guidance’), the Secretary of State’s ‘approval’ has to be obtained, and the Information Commissioner has to ‘lay any guidance issued under [s 55C] before’ both ‘House[s] of Parliament’: see ss 55C(4), (5) and (6).
Information Commissioner's Guidance
The Information Commissioner has issued such ‘guidance’: see ‘Information Commissioner’s guidance about the issue of monetary penalties prepared and issued under section 55C(1) of the Data Protection Act 1998’ (12th January, 2010) (Crown copyright). This ‘guidance’ is available on the Information Commissioner’s website: www.ico.gov.uk
Enforcement of Penalty Notices
Non-compliance with ‘a monetary penalty notice’ can result in the Information Commissioner commencing court proceedings to recover ‘the penalty’: see s 55D of the 1998 Act.
The Secretary of State, under s 55E of the 1998 Act, has power to ‘make further provision’ regarding ‘monetary penalty notices’ plus ‘notices of intent’: see s 55E(1).
The new ‘monetary penalties’ supplement, reinforce and add potency to the Information Commissioners’ other powers of enforcement, set out in Part V of the 1998 Act (ss 40-50). Given that there have been highly publicised instances of organisations in the private and public sectors disclosing or misplacing ‘personal data’, in circumstances which could breach ‘the data protection principles’, the new powers will be a strong incentive for commercial enterprises (and public sector entities) to make sure that customer data is stored and processed properly. In the current economic circumstances, a penalty of up to £500,000 will not be welcomed by many commercial organisations, not only in pecuniary terms, but also in terms of their reputation. A penalty at the upper end of the scale will indicate the breach was significant, and customers may take a view accordingly.