The Ministry of Justice has launched a consultation proposing that the Information Commissioner’s Office (ICO) be given the power to impose civil monetary penalties - known as fines to everyone else - of up to £500,000. It is worth repeating just to make clear what we are taking about here: the ICO may get the power to issue fines of up to half a million pounds, without having to go to court.
It does not seem too long ago that some businesses were asking why they should take data protection seriously when the worst that could happen was that they could receive a fine of up to £5,000, or more likely a few hundred pounds, and even then only if the ICO could muster the will to take them to court. Conversely, some of those who complied with the Data Protection Act 1998 (DPA 1998) began to wonder whether it was worth the effort given the relatively meagre penalties they faced for not doing so. Compliance with DPA 1998 brings its own competitive advantages, including streamlined and efficient handling of information and the ability to target marketing resources at those who are likely to be most receptive. However, given that compliance brings costs as well as benefits that can be a tough message for a data protection officer (or more likely a Personnel or IT manager) to sell.
Then came along the story of HMRC’s discs, or more precisely the ones that went missing and could not be found despite the house being turned upside down. We have all been there, looking in every nook and cranny for the car keys, but usually the worst consequence is turning up late to a family gathering rather than losing millions of pieces of personal information with the potential to facilitate large scale identity fraud.
Headline act
Data protection hit the headlines and stayed there in a way that had never really happened before. Organisations from the private, public and third sectors realised that perhaps a small fine was not the worst case scenario after all. It never was, but most people thought that it would never happen to them and that if it did it would be a storm in a teacup. The press thought otherwise, as did the public, with the result that reputations would be ruined and the data protection landscape would be changed forever. There is no
return, the change is permanent. The public will not accept lower standards of protection than it currently enjoys, and no government or would-be government would dare suggest otherwise.
DPA 1998 is technical in its drafting and falls short of being a concise statement of how organisations should handle personal information. It is however what we are stuck with. Given that the consensus appears to be that it is right that legal safeguards are maintained to protect personal information, it follows that it is
right that those who we charge with the enforcement of those safeguards are given the tools with which to carry out the role.
Quantum leap
With that in mind, what the Ministry of Justice is suggesting is a quantum leap in enforcement. The proposals are relatively simple: the ICO will have the power to impose a fine of up to £500,000 on any data controller committing a serious contravention of DPA 1998.
There are strings attached, being that the contravention must be likely to have caused substantial damage or distress and that the contravention must deliberate or there must have been a failure to take reasonable steps to prevent it. The ICO has issued draft guidance on how the level of a fine will be determined, recognising that fines will be reserved for the most serious of situations and that it will not usually be in the public interest for an excessive fine to bring down an organisation which is otherwise contributing towards the good of society.
Former Information Commissioner Richard Thomas got the enforcement ball rolling before he stepped down
this summer; his successor Christopher Graham shows all the signs of taking up the reigns as the head of an effective enforcement agency. Whilst the ICO will continue to offer advice and guidance it will, if the Ministry of Justice’s proposals are carried through, be able to command a greater level of attention from those who may have previously chosen to ignore it.
Take heed
Organisations which do their best to try to comply with DPA 1998 and make at least a half decent job of doing so will not generally have anything to fear from the new proposals. Everyone else should take heed: the public thinks that data protection matters and if you ignore that fact then you may end up trying your luck with an enforcement agency that can have a very real impact. The Ministry of Justice’s consultation ends
on 21 December 2009, with the power to fine expected to come into force in April.
Tom Morrison
The original version of this article first appeared in New Law Journal on 4 December 2009.
This article is for general guidance only and action should not be taken without obtaining specific advice.
Please refer to our Terms of Use for further information.
