UK Law – £500,000 penalty proposed for serious breaches of DPA 1998 – UK Legal News – The Ministry of Justice announced, last week, that it plans to give the Information Commissioner the power to impose penalties of up to £500,000 on data controllers who seriously breach the Data Protection Act 1998. A Consultation is now under way until 21 December 2009 and the Government will report its findings on 11 January 2010.

When could the penalty be imposed?

If the proposal were enacted into law, it would give the Information Commissioner the power to issue a “monetary penalty notice” if a data controller seriously contravenes any of the data protection principles. A ‘serious contravention’ is one that:

(a) would be likely to cause substantial damage or distress; and

(b) is either deliberate or reckless (i.e. the data controller knew or ought to have known of a risk of a serious breach but failed to take steps to prevent it.)

What does the Information Commissioner say?

The Information Commissioner has simultaneously produced draft guidance setting out how this potential new power would be exercised:

“The purpose of the monetary penalty notice is not to impose serious financial hardship on a responsible data controller”.

A monetary penalty notice will only be used as a punishment where there has been a deliberate or reckless handling of personal data. When deciding the extent of the penalty, the Information Commissioner will take into account the data controller’s size, the financial resources available to the data controller and the sector in which the data controller operates.

Before issuing a monetary penalty notice, the Information Commissioner will have to issue the data controller with a ‘Notice of Intent’, setting out details of the proposed penalty. The data controller will then have 28 days in which to make written representations to the Information Commissioner. If, having considered the data controllers representations, a monetary penalty notice is then issued, a data controller will have 28 days in which to pay it. If the penalty is paid within 28 days, a discount of up to 20% will be applied.

Why is the penalty necessary?

At present, the Information Commissioner has limited powers to “punish” offenders of the Data Protection Act.

The Information Commissioner can issue enforcement notices for breaches of the data protection principles. However, as enforcement notices merely require a data controller to change its practice, the Government believes that enforcement notices alone are not appropriate sanctions for serious breaches of the Data Protection Act.

The Information Commissioner can bring criminal proceedings for some data protection offences, including non compliance with enforcement notices, failure to notify as a data controller and unlawfully obtaining personal data.

The maximum sanction is a £5,000 fine in the Magistrates Court and an unlimited fine in the Crown Court. However, an offence can only be referred to the Crown Court if:

(a) the data controller elects for a trial by jury; or

(b) the Magistrates deem the matter appropriate for a Crown Court trial.

The Information Commissioner does not have the power to decide which Court the matter should be heard in.

The new penalty would allow the Information Commissioner to directly punish serious offenders of data protection law. Although not a criminal sanction, the power to impose a “fine” of up to £500,000 should deter businesses from breaching the data protection principles and encourage compliance with the Data Protection Act.

Coupled with the Government’s proposal to introduce prison sentences (up to a maximum of 2 years) for offences of unlawfully obtaining personal data, this new proposal clearly shows that the Government is now taking the area of data protection very seriously!

Scroll to Top