Personnel Today
  • Home
    • All PT content
    • Advertise
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Equality, diversity and inclusion
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Shared parental leave
    • Redundancy
    • Maternity & Paternity
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
    • OHW Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • XpertHR
    • Learn more
    • Products
    • Pricing
    • Free trial
    • Subscribe
    • XpertHR USA
  • Webinars
  • OHW+

Personnel Today

Register
Log in
Personnel Today
  • Home
    • All PT content
    • Advertise
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Equality, diversity and inclusion
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Shared parental leave
    • Redundancy
    • Maternity & Paternity
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
    • OHW Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • XpertHR
    • Learn more
    • Products
    • Pricing
    • Free trial
    • Subscribe
    • XpertHR USA
  • Webinars
  • OHW+

Legal Q&AEmployment lawData protection

Legal Q&A: New fines under the Data Protection Act

by Personnel Today 6 Apr 2010
by Personnel Today 6 Apr 2010

The Data Protection Act 1998 (DPA) seeks to ensure organisations (data controllers) controlling information relating to living individuals (personal data) deal with that data lawfully, fairly and transparently from the moment that the personal data is obtained, until its destruction or disposal.

The regime is underpinned by eight general data protection principles designed to ensure data controllers adhere to certain standards with regard to data processing. The principles require, for example, that controllers ensure personal data is accurate, up to date (where necessary), processed only for specified purposes, and kept for no longer than is necessary.

One of the data protection principles requires that data controllers take appropriate measures to ensure personal data is not lost, stolen or misused. High-profile data security incidents, such as the loss by Her Majesty’s Revenue and Customs (HMRC) of discs containing child benefit information for millions of families, have caused widespread concern among the public.

More specifically, however, they also highlighted that the data protection watchdog, the Information Commissioner’s Office (ICO), had inadequate powers to punish data controllers found culpable for failing to meet the standards required by the DPA.

After strenuous lobbying, the ICO has finally been granted new powers to fine data controllers through the imposition of “monetary penalty notices” where they are found to have breached the data protection principles. The new powers came into effect on 6 April 2010.

Q How does this affect employers?

A Employers process vast quantities of information relating to their employees, past and present – this information is personal data. Personal data commonly held by employers includes recruitment records, personnel files, sickness records, occupational health records, disciplinary information, pension information and payroll records. Employers are, therefore, data controllers whose activities are caught by the DPA, so they must comply with its requirements in the same way as any other data controller – otherwise, they risk sanctions for breach, including the new monetary penalty notices.

Q Which sectors are affected?

A All employers are affected. This includes companies, small businesses, sole traders, charities, voluntary organisations, local authorities, government departments and other public sector bodies.

Q How much could an employer be fined?

A The maximum penalty is £500,000 per contravention.

Q Do the powers to fine apply to any breach of the DPA?

A No. The ICO can only serve a monetary penalty notice where there has been a “serious contravention” of the data protection principles of a “kind likely to cause substantial damage or substantial distress”. In addition, the contravention must be either deliberate or reckless – that is, where the controller actually knew or should have known that there was a risk that such a contravention could occur and “failed to take reasonable steps” to prevent it.

Q Is the power to fine restricted to cases where there have been data security incidents?

A No. While high-profile data security incidents and breaches of the seventh data protection principle (that data are “kept secure” and not lost, stolen or misused) might have provided the impetus for granting these new powers, it is clear that the power to serve monetary penalty notices extends to breaches of all eight principles (provided they otherwise meet the relevant criteria).

For example, last year a secret blacklist of construction industry workers made the headlines. It was found by the ICO to have contravened several data protection principles, and the private investigator who compiled it was fined £5,000 – the maximum fine at that time for persistent breaches of the DPA. It’s likely that from 6 April 2010, any individual or organisation compiling a similar blacklist will risk a monetary penalty notice of significantly higher value than £5,000.

(There also remains the possibility of a data subject suing a data controller for compensation if they suffer damage and distress through contravention.)

Q Do we know how the ICO intends to use the new powers?

A The legislation that introduced the new powers required the ICO to publish guidance on how the new powers would be exercised. This guidance can be obtained on the ICO’s website. It includes these key points:



  • A monetary penalty notice will only be appropriate “in the most serious situations”.
  • Monetary penalties must be meaningful both as a sanction and a deterrent. The size and resources of a data controller are relevant to determining appropriate penalties
  • Controllers receiving a monetary penalty will receive a 20% early payment discount if they pay it within 28 days.

Q Are the new powers retrospective?

A No, the powers only apply to contraventions that occur after 6 April 2010.


Grant Campbell, partner and Tony Hadden, partner, Brodies

Avatar
Personnel Today

previous post
One-day masterclasses on managing wellbeing and preventing stress
next post
City West Housing Trust builds iTrent partnership with MidlandHR

You may also like

MP demands timeline on carer’s leave legislation

13 May 2022

Queen’s Speech: absence of employment bill leaves organisations...

10 May 2022

Queen’s Speech: Exclusivity contracts for low-paid workers to...

9 May 2022

MP seeks legal protections for employees undergoing fertility...

9 May 2022

PwC staff to benefit from extended summer hours...

5 May 2022

A dark day for workers’ rights – why...

29 Apr 2022

P&O Ferries told to return £11m furlough money...

28 Apr 2022

Modern slavery: 10% of companies fail to publish...

26 Apr 2022

EHRC’s legal fund for tackling race discrimination: what...

21 Apr 2022

Bank holidays: six things employers need to know

20 Apr 2022
  • What it really means to be mentally fit PROMOTED | What is mental fitness...Read more
  • How music can help to ease anxiety at work PROMOTED | A lot has happened since March 2020, hasn’t it?...Read more
  • Why now is the time to plug the unhealthy gap PROMOTED | We’ve all heard the term ‘health is wealth’...Read more

Personnel Today Jobs
 

Search Jobs

PERSONNEL TODAY

About us
Contact us
Browse all HR topics
Email newsletters
Content feeds
Cookies policy
Privacy policy
Terms and conditions

JOBS

Personnel Today Jobs
Post a job
Why advertise with us?

EVENTS & PRODUCTS

The Personnel Today Awards
The RAD Awards
Employee Benefits
Forum for Expatriate Management
OHW+
Whatmedia

ADVERTISING & PR

Advertising opportunities
Features list 2022

  • Facebook
  • Twitter
  • Instagram
  • Linkedin


© 2011 - 2022 DVV Media International Ltd

Personnel Today
  • Home
    • All PT content
    • Advertise
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Equality, diversity and inclusion
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Shared parental leave
    • Redundancy
    • Maternity & Paternity
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
    • OHW Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • XpertHR
    • Learn more
    • Products
    • Pricing
    • Free trial
    • Subscribe
    • XpertHR USA
  • Webinars
  • OHW+