- About Us
- Industries & Services
- Our People
- Relevant Work
- News
- All
- Industries
- Advertising
- Aviation
- Broadcasting
- Charities
- Digital Media
- eCommerce / Technology
- Fashion
- Film and Television
- Interactive Entertainment
- Music
- Publishing
- Sponsorship
- Sport
- Theatre
- Services
- Commercial
- Corporate
- Employment
- Family
- Finance
- Intellectual Property
- Litigation
- Media and Information
- Private Client
- Property
- Tax
- Events
- Publications
- Careers
Serious breaches of the DPA
Following consultation, the Ministry of Justice has introduced new legislation which will enable the Information Commissioner to impose financial penalties of up to £500,000 for serious breaches of the DPA. These powers are expected to come into force on 6 April 2010. The Information Commissioner’s Office has published statutory guidance on the circumstances in which the Commissioner will issue fines, and how he will decide on the level of fines.
The statutory guidance indicates that a monetary penalty notice (“MPN”) will only be appropriate in the most serious situations. To issue a MPN, the Commissioner is to be satisfied that:
a) There has been a serious contravention of section 4(4) of the DPA (i.e. the data controller’s duty to comply with data protection principles) by the data controller;
b) The contravention was of a kind likely to cause substantial damage or substantial distress; and either,
c) The contravention was deliberate; or
d) The data controller knew or ought to have known that there was a risk that the contravention would occur, and that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the contravention.
Examples of serious contraventions include:
- The failure by a data controller to take adequate security measures (use of encrypted files and devices, operational procedures, guidance etc.) resulting in the loss of a compact disc holding personal data.
- Medical records containing sensitive personal data are lost following a security breach by a data controller during an office move.
How the Commissioner will determine the amount of a monetary penalty
Once the Commissioner decides that a MPN is to be imposed, it will then consider what is the appropriate amount based on the circumstances of the case. Below, is a list of factors which may be relevant in the Commissioner’s decision (the list is not exhaustive):
- Nature of the Contravention – e.g. how serious the contravention was or is and how many individuals are affected.
- The Effect of the Contravention – has there been substantial damage or substantial distress caused to individuals.
- Behavioural Issues – i.e. the behavioural decisions of the data controller relating to the contravention e.g. whether any steps had been taken to avoid the contravention; or whether the data controller was prepared to offer compensation to those affected.
- Impact of the Data Controller – the Commissioner will take into account the sector, whether the data controller is a voluntary organisation and also the size, financial and other resources of the data controller.
Action Steps
Data controllers should ensure that their data protection policies are up to date and correctly applied. Provided the policies are followed, it seems unlikely that most employers would be affected by this change. To review the statutory guidance visit the Information Commissioners Office website.