Further to our e-update "500,000 Reasons for Data Controllers to be careful"(www.macroberts.com/content/content_991.html), the Ministry of Justice has published the outcome of its consultation into fixing a higher monetary penalty for serious breaches of the data protection principles under the Data Protection Act 1998. It has concluded that there should be a maximum fine of £500,000, and it is expected that this provision will come into force on 6 April 2010.
The potential penalty can apply to data controllers found guilty of a serious contravention of the data protection principles, where substantial damage or distress was likely to be caused, and either:
- the contravention was deliberate, or
- the data controller knew or ought to have known that the breach was likely to occur and failed to take reasonable steps to prevent it from occurring.
It should be noted that the Information Commissioner's Office will be able to impose these sanctions on any data controller, in other words all public sector bodies, private sector organisations, charities and any other organisation that processes personal data will be caught should they fall foul – there are no data controller exceptions. The government is also likely to introduce custodial sentences for serious Data Protection breaches later this year, with the consultation responses on that issue currently under review by the Ministry of Justice.
These new powers demonstrate a tougher stance by the ICO towards data protection breaches, and while the Information Commissioner Christopher Graham has stated his commitment to co-operating with public, private and third sector bodies to ensure compliance, he "will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law."
This new power does not mean that offenders will be hit with fines whenever there is a breach of the data protection principles. The ICO will consider any possible mitigating factors, such as whether it was a first offence, the seriousness of the contravention, the likelihood of damage or distress, and what steps had already been put in place to prevent breaches. There will also be a 20% discount for those who pay their fine within 28 days of receiving a monetary penalty notice.
MacRoberts was one of the 52 respondents to the consultation paper; to view the MacRoberts consultation response click here(www.macroberts.com/images/CivilMonetaryPenalitiesConsultationMacRrespDec09.pdf) .
You can view the Ministry of Justice's summary of the responses here: http://www.justice.gov.uk/consultations/docs/civil-monetary-penalties-consultation-response.pdf
MacRoberts offers comprehensive advice on all data protection matters to public, private and third sector bodies.
The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.