The Ministry of Justice has issued a consultation paper to assess the appropriateness of fines of 10% of annual turnover up to a maximum of £500,000 for serious breaches by data controllers of any of the eight data protection principles. The eights principles are:
- Personal data must be processed fairly and lawfully;
- Personal data must be obtained only for one or more specified and lawful purposes and not further processed in any manner incompatible with that purpose or those purposes;
- Personal data must be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed;
- Personal data must be accurate and where necessary kept up to date;
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes;
- Personal data must be processed in accordance with the rights of data subjects under the Act;
- Appropriate security measures must be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data; and
- Personal data must not be transferred to a country or countries outside the European Economic Area unless that country ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
The Information Commissioner will be able to impose fines on those Data Controllers where the following conditions are met:-
- the Data Controller seriously contravenes any of the eight principles of the Act: and
- such a contravention is likely to cause significant damage or distress to an individual;
and either
- the actions of the Data Controller were either deliberate or reckless; or
- they knew, or ought to have known, there was a risk such a breach would occur and would cause damage or distress, and they failed to take reasonable steps to prevent this.
In draft guidance, the ICO sets out the reasoning behind the new monetary penalties and the circumstances in which they can, and how they will, be imposed. The ICO has, however, emphasised that "the purpose of a monetary penalty notice is not to impose serious financial hardship on a responsible data controller" and before handing out fines, he will take into account the sector within which the data controller operates, the size and financial resources of the business.
The consultation period for this proposal ends on 21 December 2009 and the new power for the ICO is expected to come into force in April 2010.
MacRoberts offers a comprehensive data protection compliance service.
Disclaimer
The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.