Coming Soon – Fines for Breaches of the Data Protection Principles

23/12/2009

The Criminal Justice and Immigration Act 2008 provides the power to impose civil monetary penalties for serious breaches of one or more of the eight principles in the Data Protection Act 1998 (DPA). These principles provide that personal information must be:
 
  1. processed fairly and lawfully;
  2. processed only for specified, lawful purposes;
  3. adequate, relevant and not excessive;
  4. accurate and kept up to date;
  5. not kept for longer than is necessary;
  6. processed in accordance with the rights of data subjects under the DPA;
  7. kept secure from unauthorised or unlawful processing, loss or damage; and
  8. not transferred to countries outside the European Economic Area unless adequate safeguards are in place.
 
Currently, however, the Information Commissioner’s Office (ICO) only has limited powers at its disposal to punish those who contravene the DPA. Whilst the issuing of an enforcement notice is appropriate when a data controller commits a minor breach of the principles, the ICO has long sought the power to impose substantial penalties on those guilty of a more serious breach.
 
The Government has now published a proposal to give the ICO the power to levy fines up to a maximum penalty of £500,000. Following consultation, a report on its findings will be issued on 11 January 2010.
 
Fines will be levied only if the ICO is convinced that the breach was deliberate or if the data controller knew, or ought to have known, that there was a risk of contravention of the principles which would be likely to cause substantial damage or distress and the data controller failed to take preventive action.
 
Draft guidance showing the criteria the ICO intends to use, and the circumstances it will take into account when issuing civil monetary penalties, is available at http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/draft_guidance_monetary_penalty_notices.pdf.
 
Says <<CONTACT DETAILS>>, “Employers must take their data protection responsibilities seriously and ensure that the right policies and procedures and suitable technology and training arrangements are in place. We can advise you on developing and enforcing policies which fully comply with the DPA.”
 
 
Partner Note
From the website of the Information Commissioner. See http://www.ico.gov.uk/.
Share this article