Legal Q&A: New fines under the Data Protection Act

Grant Campbell and Tony Hadden, partners at Brodies, answer questions on new fines under the Data Protection Act.

The Data Protection Act 1998 (DPA) seeks to ensure organisations (data controllers) controlling information relating to living individuals (personal data) deal with that data lawfully, fairly and transparently from the moment that the personal data is obtained, until its destruction or disposal.

The regime is underpinned by eight general data protection principles designed to ensure data controllers adhere to certain standards with regard to data processing. The principles require, for example, that controllers ensure personal data is accurate, up to date (where necessary), processed only for specified purposes, and kept for no longer than is necessary.

One of the data protection principles requires that data controllers take appropriate measures to ensure personal data is not lost, stolen or misused. High-profile data security incidents, such as the loss by Her Majesty's Revenue and Customs of discs containing child benefit information for millions of families, have caused widespread concern among the public.

More specifically, however, they also highlighted that the data protection watchdog, the Information Commissioner's Office (ICO), had inadequate powers to punish data controllers found culpable for failing to meet the standards required by the DPA.

After strenuous lobbying, the ICO has finally been granted new powers to fine data controllers through "monetary penalty notices" where they are found to have breached the data protection principles. The new powers came into effect on 6 April 2010.

Question How does this affect employers?

Answer Employers process vast amounts of information relating to their staff, past and present. Personal data commonly held by employers includes recruitment records, personnel files, sickness records, occupational health records, disciplinary information, pension information and payroll records. Employers are, therefore, data controllers whose activities are caught by the DPA, so they must comply with its requirements, or risk sanctions for breach, including the new monetary penalty notices.

Question Which sectors are affected?

Answer All employers are affected, including companies, small businesses, sole traders, charities, voluntary organisations, local authorities, government departments and other public sector bodies.

Question How much could an employer be fined?

Answer The maximum penalty is £500,000 per contravention.

Question Do the powers to fine apply to any breach of the DPA?

Answer No. The ICO can only serve a monetary penalty notice where there has been a "serious contravention" of the data protection principles of a "kind likely to cause substantial damage or substantial distress". In addition, the contravention must be either deliberate or reckless - that is, where the controller actually knew or should have known that there was a risk that such a contravention could occur and "failed to take reasonable steps" to prevent it.

Question Is the power to fine restricted to cases where there have been data security incidents?

Answer No. While high-profile data security incidents and breaches of the seventh data protection principle (that data are "kept secure" and not lost, stolen or misused) might have provided the impetus for granting these new powers, it is clear that the power to serve monetary penalty notices extends to breaches of all eight principles (provided they otherwise meet the relevant criteria).

For example, last year a secret blacklist of construction industry workers made the headlines. It was found by the ICO to have contravened several data protection principles, and the private investigator who compiled it was fined £5,000 - the maximum fine at that time for persistent breaches of the DPA. It's likely that from 6 April 2010, any individual or organisation compiling a similar blacklist will risk a monetary penalty notice of significantly higher value than £5,000. (There also remains the possibility of a data subject suing a data controller for compensation if they suffer damage and distress through contravention.)

Question How will the ICO use the new powers?

Answer The legislation that introduced the new powers required the ICO to publish guidance on how the new powers would be exercised. This guidance can be obtained on the ICO's website. It includes these key points:

  • A monetary penalty notice will only be appropriate "in the most serious situations".
  • Monetary penalties must be meaningful both as a sanction and a deterrent. The size and resources of a data controller are relevant to determining appropriate penalties.
  • Controllers receiving a monetary penalty will receive a 20% early payment discount if they pay it within 28 days.

Question Are the new powers retrospective?

Answer No, the powers only apply to contraventions that occur after 6 April 2010.