Commerce & Technology Partner Mark O'Shea considers recent fines imposed for data protection transgressions, and the potential cost of these to businesses.
ICO Powers
The Information Commissioner's Office (ICO) has a broad
range of powers to enforce data protection infringements.
The ICO can require businesses to pay up to £500,000 for
serious breaches of the Data Protection Act 1998 or for serious
breaches of the Privacy and Electronic Communications Regulations
by issuing monetary penalty notices.
Other sanctions include:
- information notices which require specified information to be provided within a stated time period:
- undertakings which commit a business to a particular course of action;
- enforcement notices and 'stop now' orders which require businesses to take (or refrain from taking) specified actions;
- audits (consensual assessments) to check compliance; and/or
- prosecution of criminal offences under the Data Protection Act 1998.
Monetary Penalty Notices
The imposition of monetary penalty notices by the ICO for serious
losses of data is a regular occurrence.
Health Authorities, Councils and Police Forces have been
particularly vulnerable. For example, in October 2012 a penalty of
£150,000 was imposed on Greater Manchester Police following
the theft (from an officer's home) of an unprotected memory
stick containing sensitive personal data comprising details of over
one thousand people with links to serious crime
investigations.
In September 2012, Scottish Borders Council was fined
£250,000 after former employees' pension records were
found in a paper recycling bank in a supermarket car park.
And, in June that year, Brighton and Sussex University Hospitals
NHS Trust was fined £325,000 after the discovery of highly
sensitive personal data belonging to thousands of patients and
staff on computer hard drives sold on an Internet auction
site.
A new development
Late last year, following a mix-up over the administration of two
customers' accounts resulting in thousands of pounds, intended
for an individual's retirement fund, ending up in the wrong
account, the ICO imposed a monetary penalty of £50,000 on
Prudential.
This is the first time that the ICO has imposed a financial penalty
that does not relate to a significant loss of data.
Where now?
It seems unlikely that the number and scale of monetary penalties
imposed by the ICO for these types of infringement will decrease
anytime soon.
Businesses therefore need to take stock of their data protection
measures and data security processes, and upgrade them where
appropriate. This may include:
- Auditing your data use, access and storage;
- Instituting / upgrading your existing staff and security policies;
- Introducing / upgrading your technical security measures; and
- Ensuring adequate contractual remedies / redress (including indemnities for breach) in your commercial agreements with your suppliers / outsourced suppliers.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your