What are the new powers which have been provided to the Information Commissioner for serious breaches of the Data Protection Act?

The Information Commissioner

What is the Information Commissioner’s Office?

The Information Commissioner’s Office is the United Kingdom’s independent authority which is set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

It is therefore the body which ensures that the individuals and companies processing information about other individuals (data controllers) comply with the provisions contained within the Data Protection Act 1998.

What new powers have recently been provided to the Information Commissioner?

New powers came into force in April 2010 which permits the Information Commissioner to order data controllers to pay penalties of up to £500,000 for serious breaches of the data protection principles provided for by the Data Protection Act.

A Money Penalty Notice (MPN) can now be served on a data controller by the Information Commissioner for contraventions of the data protection principles occurring on or after 6 April 2010.

Under what circumstances will the Information Commissioner be able to issue a fine under the new powers?

The Information Commissioner may serve a Monetary Penalty Notice (MPN) on a data controller to pay a penalty not exceeding £500,000 when the following conditions will be present:

  • That there has been a serious convention of section 4(4) of the Data Protection Act – i.e. the section which specifies that data controllers must comply with the data protection principles

  • The contravention was of a kind likely to cause substantial damage and substantial distress

  • Furthermore one of the following conditions must also be present:

  • The contravention was deliberate

  • The data controller knew or ought to have known that there was a risk that the contravention would occur, and that such a contravention would be of the kind likely to cause substantial damage or substantial distress, but that the data controller failed to take reasonable steps to prevent the contravention

Unlock this article now!

 

For more information on:

  • Serious contravention
  • What is meant by a serious contravention?
  • What would be regarded as a failure to take adequate security measures?
  • Substantial damage or distress
  • What is meant by substantial damage?
  • What is meant by substantial distress?
  • Deliberate contravention
  • When will a deliberate contravention occur?
  • Knew or ought to have known as to the likelihood of the risk of contravention
  • When will a data controller be deemed to have known or ought to have known about the risk of contravention?
  • Failed to take reasonable steps to prevent the contravention
  • When will a data controller be deemed to have failed to have taken reasonable steps to prevent the contravention?