Since 6 April 2010 the UK Information Commissioner’s Office (“ICO”) has had the power to impose fines of up to £500,000 as a penalty for serious breaches of the Data Protection Act 1998 (“the Act”).
Individuals and organisations who hold personal data and who determine the purposes for which that personal data is to be used are known as “data controllers” under the Act and as such have various duties under the Act including notifying the ICO of the processing that they carry out.
The fines are to be imposed where there has been a contravention that is serious and of a kind likely to cause substantial damage or distress. The contravention must have been deliberate or the data controller must have known or ought to have known that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it. In addition to issuing a fine, the ICO may still serve an enforcement notice (an order for the data controller to carry out certain actions or refrain from certain conduct in future) in relation to the same contravention if the ICO is satisfied that positive steps are also required to ensure compliance by the data controller with the data protection principles enshrined in the Act.
When serving monetary penalties, the ICO will consider the surrounding circumstances, including the seriousness of the breach; the likelihood of substantial damage and distress to individuals; whether the breach was deliberate or negligent and what reasonable steps were taken to prevent it. The ICO will also take account of the sector in which the data controller operates (for example, whether the data controller is a voluntary organisation) and the size and financial and other resources of the data controller before determining the amount of a monetary penalty.
Examples of penalties handed out to date by the ICO under these powers include:
• A fine of £100,000 awarded against Hertfordshire County Council for two serious incidents where council employees faxed highly sensitive personal information to the wrong recipients - one concerning child sexual abuse and the other concerning details of care proceedings.
• A fine of £120,000 awarded against Surrey County Council for a serious breach of the Act after sensitive personal information was emailed to the wrong recipients on three separate occasions;
• A fine of £80,000 awarded against Worcestershire County Council for an incident in March 2011 in which a member of staff emailed highly sensitive personal information about a large number of vulnerable people to 23 unintended recipients; and
• A fine of £60,000 issued to an employment services company, A4e Limited, for the loss of an unencrypted laptop which contained personal information relating to 24,000 people who had used community legal advice centres in Hull and Leicester.
In order to avoid a fine, individuals and organisations who are data controllers must familiarise themselves with their duties under the Act and comply with them. In practice, this includes putting in place appropriate security to prevent the personal data they hold being deliberately or accidentally compromised. In addition, those individuals and organisations should:
• consider the nature of the personal data they hold and the consequences of a security breach in relation to this data;
• nominate a specific person or persons in the organisation to be responsible for ensuring information security;
• ensure that both staff and security are of the upmost reliability and implement policies to support this; and
• be ready and able to respond to any breach of security swiftly and effectively.
Taking these steps and implementing these practices will help to reduce the risk of a fine such as those listed above. If you are in any doubt about your obligations under the Data Protection Act 1998 you should seek legal advice or contact the ICO for further information.