Who: The Information Commissioner’s Office (the “ICO”)
Where: UK
When: 20 April 2015
Law stated as at: 6 May 2015
What happened:
On 20 April 2015, the ICO released the third edition of its guidance regarding the issue of monetary penalties of up to £500,000 under section 55C(1) of the Data Protection Act 1998 (the “Guidance”).
This applies to breaches of both the Data Protection Act 1998 (the “DPA”) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the “PCRs”).
The Guidance states in its introduction that the Information Commissioner may impose a monetary penalty notice if “a data controller has seriously contravened the [DPA] or any person has seriously contravened the [PCRs]… and… the contravention was of a kind likely to cause substantial damage or substantial distress.” The Guidance goes on to provide direction on the meanings of “distress” and “damage”.
This came as a surprise because it does not take account of the significant change made to the relevant law on 6 April 2015.
The change was made by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2015 (the “PCARs”).
The change dropped the requirement to prove “substantial damage” or “substantial distress” when imposing a monetary penalty notice for breaches of regulations 19-24 of the PCRs.
Subsequent enquiries to the ICO confirmed that the new Guidance was in fact out-of-date on the date of publication.
This was apparently due to a simple case of poor timing. The revised Guidance had been in the works for some time and it seems that the ICO had been taken somewhat by surprise by the Coalition’s last minute introduction of the PCARs.
The ICO also confirmed that new guidance is currently being drafted but could not provide a date for publication because this will be managed by the Stationery Office. As Parliament is currently dissolved at the time of writing this article, one suspects that this may take some time.
Why this matters:
The Guidance still provides very welcome clarification of the ICO’s enforcement policy as regards the types of data law breach that are unaffected by the PCARs.
It is also helpful on how the ICO will interpret the requirements that continue to apply in this context in respect of all breaches of the DPA and the PCRs. These include the need for a “serious contravention” to have occurred and unless the contravention was deliberate, for the entity served with the notice to have failed to take “reasonable steps” to prevent the contravention in circumstances where they knew or ought to have known that there was a risk that the contravention would occur.