On November 9, 2009, the UK’s Ministry of Justice launched a consultation seeking the public’s views on the proposed implementation of a maximum penalty of £500,000 (approximately US$837,950) for serious breaches of the UK Data Protection Act 1998 (the “DPA”). This Consultation follows the Information Commissioners’ publication of draft guidance this week, explaining the circumstances in which a fine will be imposed. The launch of the Consultation puts to rest recent speculation as to the level of fine likely to be imposed for a deliberate or serious breach of the DPA, including for data security breaches.
The DPA imposes obligations on data controllers that process personal data to: (i) process personal data fairly and lawfully; (ii) obtain personal data only for specified lawful purposes, and not further process personal data in any manner incompatible with such purposes; (iii) ensure that personal data are adequate, relevant and not excessive in relation to the purposes for which they are processed; (iv) ensure that personal data are accurate and, where necessary, kept up-to-date; (v) keep personal data only for as long as is necessary for the purposes for which they are collected; (vi) process personal data in accordance with individuals’ rights; (vii) implement appropriate technical and organizational measures against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data; and (viii) not transfer personal data to a jurisdiction outside the European Economic Area unless that jurisdiction affords adequate protection levels for individuals’ rights and freedoms in relation to the processing of personal data.
In 2008, the DPA was amended by Section 144 of the Criminal Justice and Immigration Act 2008 (“CJIA”) to provide the Information Commissioner with the power to impose civil monetary penalties on data controllers who commit serious breaches of any of the obligations set out above (known as the “data protection principles”). Before doing so, the Information Commissioner must be satisfied that the contravention: (i) was serious and of a kind likely to cause substantial damage or distress to an individual; and (ii) was either deliberate or the data controller knew, or ought to have known, that there was a risk that the contravention would occur and that it would be likely to cause substantial damage or distress, but failed to take reasonable steps to prevent it. In addition, before imposing a monetary penalty, the Information Commissioner is required to serve the data controller with a notice of intent, which must inform the data controller of the proposed amount of the monetary penalty and of its right to make written representations to the Information Commissioner within a specified period. The Information Commissioner may not issue the monetary penalty until the period for making such representations has expired.
The Consultation provides organizations with an opportunity to express their views about the proposed maximum penalties. The Consultation paper issued by the Ministry of Justice highlights the UK government’s underlying aim of safeguarding personal data effectively and processing it responsibly and lawfully. In addition, the UK government is of the view that the implementation of such penalties should contribute to increased compliance with the DPA and greater confidence for individuals whose personal data are processed. The Consultation also stresses, however, that any financial sanctions imposed must be proportionate, taking into account specific circumstances, such as the financial hardship a penalty may bring to a data controller that has contravened the DPA. On this basis, the Ministry of Justice has suggested that, for small companies, the maximum fine should not exceed 10% of annual turnover.
Data controllers in the UK and their representative bodies have been invited to submit their responses to the Consultation by December 21, 2009, addressing, in particular, the issue of whether a penalty of up to £500,0000 is a “proportionate sanction for serious contraventions of the data protection principles.” The Ministry of Justice will publish a paper summarizing the responses received by January 11, 2010.
The Information Commissioner’s Position
Section 144 of the CJIA also requires the Information Commissioner to publish guidance on the circumstances in which monetary fines will be issued, and how the level of a fine will be determined. The Information Commissioner issued such statutory guidance in draft form on November 4, 2009 and it is expected that the guidance will become final after the Consultation process is complete.
The guidance emphasizes that a monetary penalty will be appropriate only in the most serious situations and, in particular, where it will act both as a sanction penalizing wrongful acts and a deterrent preventing future non-compliance. In determining the amount of a financial penalty, the Information Commissioner will take into account the sector (for example, whether the data controller is a voluntary organization or an organization in the public sector), the size, and the financial and other resources of a data controller. As a general rule, a data controller with substantial financial resources is more likely to attract a higher monetary penalty than a data controller with limited resources for a similar contravention of the DPA.
Monetary penalties can be issued only in respect of “serious” contraventions of the DPA. A contravention is more likely to be serious where one of the following factors is present: (i) it is or was particularly serious because of the nature of the personal data concerned; (ii) the duration and extent of the contravention; (iii) the number of individuals actually or potentially affected by the contravention; (iv) the fact that it related to an issue of public importance; or (v) the contravention was due to either deliberate or negligent behavior on the part of the data controller.
The Information Commissioner will typically consider whether a data controller has taken reasonable steps to prevent a contravention on a case by case basis. A data controller is more likely to be deemed to have taken reasonable steps to prevent a contravention if, for example: (i) a risk assessment was carried out or there is evidence to suggest that the data controller had recognized the risks of handling personal data and taken steps to address such risks; or (ii) guidance or codes of practice published by the Information Commissioner or others and relevant to the contravention were implemented by the data controller.
The underlying theme of the guidance focuses on reasonableness and proportionality. As a general rule, the Information Commissioner will seek to ensure that the imposition of a monetary penalty is appropriate and the amount of the penalty is reasonable and proportionate, taking into account the particular facts of the case and the objective of the penalty. In particular, the Information Commissioner will consider the particular facts and circumstances of a contravention and of any representations made to him by a data controller.