New Powers to impose fines for DP breaches!
29 May 2008
The Data Protection Act 1998 (the DPA) has been amended to allow the privacy watchdog, the Information Commissioner, to impose harsher penalties on those organisations who knowingly or recklessly breach the Data Protection Act.
|
Amended by the Criminal Justice and Immigration Act 2008 (which received Royal Assent on 8 May 2008) the Information Commissioner will have powers to impose monetary penalty notices (ie fines).
These new powers are undoubtedly a reaction to the very recent, high profile data security breaches which included serious violations by Governmental departments. Since the HMRC security breach in November 2007, the Information Commissioner has received over 100 notifications of data breaches by various organisations. The new regime is also designed to reassure individuals about the safety of their personal information held by organisations.
What has changed?
Traditionally the Information Commissioner had power to impose an Enforcement Notice on organisations in breach of the data protection principles. Breach of an Enforcement Notice would be a criminal offence. The new Act amends the DPA and now means that those found guilty will face "monetary penalties" imposed on them by the Information Commissioner.
In order for the new penalty to apply, it must be established that the data controller knew, or ought to have known, that there was a risk that the contravention would occur and that such contravention would be of a kind likely to cause substantial damage or substantial distress. It must also be established that the data controller failed to take reasonable steps to prevent the breach. Deliberate breaches will also be caught.
What do the new fining powers mean?
This means that the Information Commissioner's "teeth" are getting sharper. Indeed, a power for the Commissioner to impose fines direct on business is a wholly new development in the data protection arena. It is akin to the powers that other regulators such as the FSA have to enforce their regulatory rules.
The new rules will also increase the regulatory enforcement risk and overall "temperature" of data protection compliance. Data protection risk now needs to be assessed in the context of these new powers to impose fines.
We will have to wait for subordinate legislation (not yet in place) to determine the maximum amounts that the Information Commissioner can specify and the timing for implementation.
|
|
|
Contacts
If you would like further information on this subject please get in touch with your usual contact or:
Nick Graham,
Partner, T: +44 (0)20 7320 6907
Scott Singer,
Partner, T: +44 (0)20 7320 6599
Author/EditorCopyright © Denton Wilde Sapte LLP, unless otherwise indicated. All information correct as at date of publication. Consistent with our policy when giving advice on a non-specific basis, we cannot assume legal responsibility for the accuracy of any particular statement. In the case of a specific problem, it is recommended that professional advice be sought. |