£500,000 data fines come Easter

Topic: Privacy

Who: Information Commissioner's Office

When: 6 April 2010

Where: UK

Law stated as at: 25 January 2010

What happened:

It's official! The Information Commissioner's Office ("ICO") will be able to impose fines of up to £500,000 on data controllers who flout data privacy compliance from 6 April this year (marketinglaw regulars will remember we predicted this last month).

The powers were introduced through an amendment to the Data Protection Act 1998 ("DPA") made by the Criminal Justice and Immigration Act 2008. This introduced a new s.55A into the DPA that allows ICO to issue a "monetary penalty notice" (in English: a fine) to data controllers that have knowingly or recklessly committed a "serious" data protection breach "of a kind likely to cause substantial damage or substantial distress".

Before this power could come into force, ICO had to produce guidance explaining how and when it would issue fines. The Ministry of Justice also had to settle on a maximum amount of fine that it would allow ICO to impose.

Both of these requirements have now been resolved: ICO's guidance can be found here. Meanwhile, the snappily-titled Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 (which come into force on 6 April 2010) have set the maximum fine ICO can impose at £500,000. This follows the earlier Ministry of Justice consultation on maximum data breach fines that marketinglaw reported on last month.

So what are the key points to bear in mind in relation to ICO's new powers? We've set out a few below:

• Only serious data protection breaches will attract fines, not each and every minor privacy breach. Before a fine can be issued, there must have been: (i) a serious breach; (ii) committed knowingly or recklessly; and (iii) the breach must have been likely to cause substantial damage or substantial distress. The result is that, for the time being, ICO's energies are likely still to be most focussed on encouraging compliance, rather than beating every non-compliant controller with an enforcement stick.
• Marketers should not regard themselves, however, as in any way immune from the exercise of these new powers. To underline this, one example cited in the statutory guidance of the type of case where ICO would consider exercising its new powers is as follows:

"A marketing company collects personal data stating it is for the purpose of a competition and then, without consent, knowingly discloses the data to populate a tracing database for commercial purposes without informing the individuals concerned."

• However, non-compliant controllers should be aware that seriousness and substantiality will not be assessed in pure number terms. Whilst a breach that affects thousands of people is undoubtedly likely to be considered serious, a breach only affect a handful of people could still be considered serious and likely to cause substantial harm – for example, if the breach concerns personal records of a sensitive nature (e.g. medical records or banking details).
• Interestingly, the fines will not apply to breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR") – they apply only to breaches of the DPA. However, marketers should not take this to mean that failing to respect marketing opt ins and opt outs and other PECR requirements will not attract risk. In most instances, a breach of PECR will also attract liability under the DPA too.
• In assessing whether a data controller committed a breach knowingly or recklessly, ICO will look at whether the data controller took reasonable steps to avoid breaches, including: (a) whether the data controller had carried out a risk assessment and taken steps to address the risks of handling personal data; (b) whether the data controller had good governance and/or audit arrangements in place; (c) whether the data controller had appropriate policies, procedures, practices or processes in place; and (d) the data controller's compliance with applicable guidance and codes of practice.
• ICO cannot use the fines it imposes to self-fund (as is the case, for example, with the Spanish data protection regulator). Instead, any fines it imposes must be paid into the Consolidated Fund owned by HM Treasury. Therefore, while these powers will at last give ICO real teeth, data controllers can rest assured that ICO will not impose ludicrous fines simply as a means of furnishing its offices.
• Finally, ICO will not impose fines in respect of breaches it uncovers while auditing a data controller, whether as a result of a voluntary audit under s. 51(7) DPA or a mandatory audit under s.41A (mandatory) DPA (s.41A is yet to come into effect, although it is anticipated that this will probably also happen in April 2010). Although typically perceived as undesirable, regulatory audits may therefore prove a useful tool for data controllers to get a compliance health check by ICO, whilst taking comfort that any lurking compliance issues discovered as part of the audit will not attract fines.

Why this matters:

At long last, ICO will finally have the teeth it needs to enforce data protection compliance. The focus on "serious" breaches, together with ICO's assurance that it will not fine data controllers for breaches uncovered during regulatory audit, is consistent with ICO's message that it prefers to encourage compliance, rather than simply penalise non-compliance.

Nevertheless, Christopher Graham has made no secret of his desire to start flexing his regulatory muscle, saying "I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law". Bearing this in mind, our money is on ICO pursuing a high profile enforcement case, probably no later than the end of this year.

It's time to double-check your compliance policies and procedures – is your business taking the reasonable steps it needs to ensure that it does not allow a reckless data breach to occur?