Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+

Personnel Today

Register
Log in
Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+

Employment lawData protection

Legal Q&A: New fines under the Data Protection Act

by Personnel Today 6 Apr 2010
by Personnel Today 6 Apr 2010

The Data Protection Act 1998 (DPA) seeks to ensure organisations (data controllers) controlling information relating to living individuals (personal data) deal with that data lawfully, fairly and transparently from the moment that the personal data is obtained, until its destruction or disposal.

The regime is underpinned by eight general data protection principles designed to ensure data controllers adhere to certain standards with regard to data processing. The principles require, for example, that controllers ensure personal data is accurate, up to date (where necessary), processed only for specified purposes, and kept for no longer than is necessary.

One of the data protection principles requires that data controllers take appropriate measures to ensure personal data is not lost, stolen or misused. High-profile data security incidents, such as the loss by Her Majesty’s Revenue and Customs (HMRC) of discs containing child benefit information for millions of families, have caused widespread concern among the public.

More specifically, however, they also highlighted that the data protection watchdog, the Information Commissioner’s Office (ICO), had inadequate powers to punish data controllers found culpable for failing to meet the standards required by the DPA.

After strenuous lobbying, the ICO has finally been granted new powers to fine data controllers through the imposition of “monetary penalty notices” where they are found to have breached the data protection principles. The new powers came into effect on 6 April 2010.

Q How does this affect employers?

A Employers process vast quantities of information relating to their employees, past and present â€“ this information is personal data. Personal data commonly held by employers includes recruitment records, personnel files, sickness records, occupational health records, disciplinary information, pension information and payroll records. Employers are, therefore, data controllers whose activities are caught by the DPA, so they must comply with its requirements in the same way as any other data controller â€“ otherwise, they risk sanctions for breach, including the new monetary penalty notices.

Q Which sectors are affected?

A All employers are affected. This includes companies, small businesses, sole traders, charities, voluntary organisations, local authorities, government departments and other public sector bodies.

Q How much could an employer be fined?

A The maximum penalty is £500,000 per contravention.

Q Do the powers to fine apply to any breach of the DPA?

A No. The ICO can only serve a monetary penalty notice where there has been a “serious contravention” of the data protection principles of a “kind likely to cause substantial damage or substantial distress”. In addition, the contravention must be either deliberate or reckless â€“ that is, where the controller actually knew or should have known that there was a risk that such a contravention could occur and “failed to take reasonable steps” to prevent it.

Q Is the power to fine restricted to cases where there have been data security incidents?

A No. While high-profile data security incidents and breaches of the seventh data protection principle (that data are “kept secure” and not lost, stolen or misused) might have provided the impetus for granting these new powers, it is clear that the power to serve monetary penalty notices extends to breaches of all eight principles (provided they otherwise meet the relevant criteria).

For example, last year a secret blacklist of construction industry workers made the headlines. It was found by the ICO to have contravened several data protection principles, and the private investigator who compiled it was fined £5,000 â€“ the maximum fine at that time for persistent breaches of the DPA. It’s likely that from 6 April 2010, any individual or organisation compiling a similar blacklist will risk a monetary penalty notice of significantly higher value than £5,000.

(There also remains the possibility of a data subject suing a data controller for compensation if they suffer damage and distress through contravention.)

Q Do we know how the ICO intends to use the new powers?

A The legislation that introduced the new powers required the ICO to publish guidance on how the new powers would be exercised. This guidance can be obtained on the ICO’s website. It includes these key points:



  • A monetary penalty notice will only be appropriate “in the most serious situations”.
  • Monetary penalties must be meaningful both as a sanction and a deterrent. The size and resources of a data controller are relevant to determining appropriate penalties
  • Controllers receiving a monetary penalty will receive a 20% early payment discount if they pay it within 28 days.

Q Are the new powers retrospective?

Sign up to our weekly round-up of HR news and guidance

Receive the Personnel Today Direct e-newsletter every Wednesday

OptOut
This field is for validation purposes and should be left unchanged.

A No, the powers only apply to contraventions that occur after 6 April 2010.


Grant Campbell, partner and Tony Hadden, partner, Brodies

Personnel Today

previous post
One-day masterclasses on managing wellbeing and preventing stress
next post
City West Housing Trust builds iTrent partnership with MidlandHR

You may also like

Black workers face greatest risk from workplace surveillance

30 May 2025

Fire and rehire: the relocation question

22 May 2025

Minister defends Employment Rights Bill at Acas conference

16 May 2025

CBI chair Soames accuses ministers of not listening...

16 May 2025

EHRC bows to pressure and extends gender consultation

15 May 2025

‘Polygamous working’ is a minefield for HR

14 May 2025

Contract cleaner loses EAT race discrimination appeal

14 May 2025

Construction workers win compensation claim against defunct employer

9 May 2025

Zero-hours workers’ rights to be extended from beyond...

8 May 2025

Employment tribunal backlog up 23% in a year

7 May 2025

  • Preparing for a new era of workforce planning (webinar) WEBINAR | Employers now face...Read more
  • 2025 Employee Communications Report PROMOTED | HR and leadership...Read more
  • Prioritising performance management: Strategies for success (webinar) WEBINAR | In today’s fast-paced...Read more
  • Retaining Female Talent: Four Ways to Reduce Workplace Drop Out PROMOTED | International Women’s Day...Read more

Personnel Today Jobs
 

Search Jobs

PERSONNEL TODAY

About us
Contact us
Browse all HR topics
Email newsletters
Content feeds
Cookies policy
Privacy policy
Terms and conditions

JOBS

Personnel Today Jobs
Post a job
Why advertise with us?

EVENTS & PRODUCTS

The Personnel Today Awards
The RAD Awards
Employee Benefits
Forum for Expatriate Management
OHW+
Whatmedia

ADVERTISING & PR

Advertising opportunities
Features list 2025

  • Facebook
  • Twitter
  • Instagram
  • Linkedin


© 2011 - 2025 DVV Media International Ltd

Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+