What are the new powers which have been provided to the Information Commissioner for serious breaches of the Data Protection Act?

The Information Commissioner

What is the Information Commissioner’s Office?

The Information Commissioner’s Office is the United Kingdom’s independent authority which is set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

It is therefore the body which ensures that the individuals and companies processing information about other individuals (data controllers) comply with the provisions contained within the Data Protection Act 1998.

What new powers have recently been provided to the Information Commissioner?

New powers came into force in April 2010 which permits the Information Commissioner to order data controllers to pay penalties of up to £500,000 for serious breaches of the data protection principles provided for by the Data Protection Act.

A Money Penalty Notice (MPN) can now be served on a data controller by the Information Commissioner for contraventions of the data protection principles occurring on or after 6 April 2010.

Under what circumstances will the Information Commissioner be able to issue a fine under the new powers?

The Information Commissioner may serve a Monetary Penalty Notice (MPN) on a data controller to pay a penalty not exceeding £500,000 when the following conditions will be present:

  • That there has been a serious convention of section 4(4) of the Data Protection Act – i.e. the section which specifies that data controllers must comply with the data protection principles

  • The contravention was of a kind likely to cause substantial damage and substantial distress

  • Furthermore one of the following conditions must also be present:

  • The contravention was deliberate

  • The data controller knew or ought to have known that there was a risk that the contravention would occur, and that such a contravention would be of the kind likely to cause substantial damage or substantial distress, but that the data controller failed to take reasonable steps to prevent the contravention

Serious contravention

What is meant by a serious contravention?

The information Commissioner has issued guidance relating to their new powers which states that a contravention will be deemed to be serious using an objective approach. Furthermore the guidance states that one of the best examples of a serious contravention is the situation whereby a data controller fails to take adequate security measures in relation to the data which eventually causes the personal data to be lost.

What would be regarded as a failure to take adequate security measures?

If an individual data controller failed to encrypt personal data when this was required would be viewed as a failure to take adequate security measures in relation to the personal data.

Substantial damage or distress

Again in the guidance provided by the Information Commissioner it has been states that when deciding whether substantial damage or distress has occurred the decision will be taken objectively.

What is meant by substantial damage?

It is likely that damage suffered will be seen as substantial where the individual has suffered some form of quantifiably financial loss. For example if due to the failure to take adequate security measures the banking details of an individual have been used to steal their identity this will be seen as substantial damage.

What is meant by substantial distress?

Distress will be seen as an injury to the feelings of an individual or any harm or anxiety which may have been caused to an individual even if such concerns do not in fact materialise. An example of where the loss of data may result in substantial distress is whereby medical details relating to an individual have been lost or stolen and that individual suffers worry or distress due to the possibility that these medical details will become public knowledge.

Deliberate contravention

When will a deliberate contravention occur?

It is likely that a deliberate contravention of the data protection principles will occur when the breach by the data controller is one which is premeditated or also where specific guidance on how to comply with the provision provided for by the Information Commissioner has not been followed. A deliberate contravention could also include the scenario where a string of breaches which were not rectified caused the final breach.

Knew or ought to have known as to the likelihood of the risk of contravention

When will a data controller be deemed to have known or ought to have known about the risk of contravention?

A data controller will be deemed to have known or ought to have known about the likelihood or the risk of contravention if this would have been apparent to a reasonably prudent data controller. For example if a data controller has been warned by their own internal IT department concerning the likelihood of employees accessing personal data then they will have known or ought reasonably have known regarding the likelihood of contravention.

Failed to take reasonable steps to prevent the contravention

When will a data controller be deemed to have failed to have taken reasonable steps to prevent the contravention?

A data controller will be deemed to have failed to have taken reasonable steps to prevent the contravention whereby they have not undertaken tasks which would usually be expected of them in the circumstances such as a risk assessment or the establishment of appropriate policies.