The Data Protection Act 1998 (DPA) seeks to ensure organisations (data controllers) controlling information relating to living individuals (personal data) deal with that data lawfully, fairly and transparently from the moment that the personal data is obtained, until its destruction or disposal.
The regime is underpinned by eight general data protection principles designed to ensure data controllers adhere to certain standards with regard to data processing. The principles require, for example, that controllers ensure personal data is accurate, up to date (where necessary), processed only for specified purposes, and kept for no longer than is necessary.
One of the data protection principles requires that data controllers take appropriate measures to ensure personal data is not lost, stolen or misused. High-profile data security incidents, such as the loss by Her Majesty's Revenue and Customs (HMRC) of discs containing child benefit information for millions of families, have caused widespread concern among the public.
More specifically, however, they also highlighted that the data protection watchdog, the Information Commissioner's Office (ICO), had inadequate powers to punish data controllers found culpable for failing to meet the standards required by the DPA.
After strenuous lobbying, the ICO has finally been granted new powers to fine data controllers through the imposition of "monetary penalty notices" where they are found to have breached the data protection principles. The new powers came into effect on 6 April 2010.
Q How does this affect employers?
A Employers process vast quantities of information relating to their employees, past and present – this information is personal data. Personal data commonly held by employers includes recruitment records, personnel files, sickness records, occupational health records, disciplinary information, pension information and payroll records. Employers are, therefore, data controllers whose activities are caught by the DPA, so they must comply with its requirements in the same way as any other data controller – otherwise, they risk sanctions for breach, including the new monetary penalty notices.
Q Which sectors are affected?
A All employers are affected. This includes companies, small businesses, sole traders, charities, voluntary organisations, local authorities, government departments and other public sector bodies.
Q How much could an employer be fined?
A The maximum penalty is £500,000 per contravention.
Q Do the powers to fine apply to any breach of the DPA?
A No. The ICO can only serve a monetary penalty notice where there has been a "serious contravention" of the data protection principles of a "kind likely to cause substantial damage or substantial distress". In addition, the contravention must be either deliberate or reckless – that is, where the controller actually knew or should have known that there was a risk that such a contravention could occur and "failed to take reasonable steps" to prevent it.
Q Is the power to fine restricted to cases where there have been data security incidents?
A No. While high-profile data security incidents and breaches of the seventh data protection principle (that data are "kept secure" and not lost, stolen or misused) might have provided the impetus for granting these new powers, it is clear that the power to serve monetary penalty notices extends to breaches of all eight principles (provided they otherwise meet the relevant criteria).
For example, last year a secret blacklist of construction industry workers made the headlines. It was found by the ICO to have contravened several data protection principles, and the private investigator who compiled it was fined £5,000 – the maximum fine at that time for persistent breaches of the DPA. It's likely that from 6 April 2010, any individual or organisation compiling a similar blacklist will risk a monetary penalty notice of significantly higher value than £5,000.
(There also remains the possibility of a data subject suing a data controller for compensation if they suffer damage and distress through contravention.)
Q Do we know how the ICO intends to use the new powers?
A The legislation that introduced the new powers required the ICO to publish guidance on how the new powers would be exercised. This guidance can be obtained on the ICO's website. It includes these key points:
- A monetary penalty notice will only be appropriate "in the most serious situations".
- Monetary penalties must be meaningful both as a sanction and a deterrent. The size and resources of a data controller are relevant to determining appropriate penalties
- Controllers receiving a monetary penalty will receive a 20% early payment discount if they pay it within 28 days.
Q Are the new powers retrospective?
A No, the powers only apply to contraventions that occur after 6 April 2010.
Grant Campbell, partner and Tony Hadden, partner, Brodies