Control your data
Keep your data protection policies under review or face fines up to £500,000, says Carolyn Fink, associate at Penningtons Solicitors
Social landlords beware: UK data protection regulator the Information Commissioner’s Office was granted new powers on 6 April to order organisations to pay hefty financial penalties for breach of the Data Protection Act 1998. The ICO may now fine companies and other organisations up to £500,000 for serious data protection breaches by issuing a ‘monetary penalty notice’.
Fine advice
In statutory guidance published by the ICO, it has advised that fines will only be imposed for serious and reckless breaches of the DPA and where the organisation has failed to take reasonable steps to prevent the breach. Serious breaches are those ‘of a kind likely to cause substantial damage or substantial distress’. In determining the amount of a fine, the ICO will take into account the sector, the size, financial and other resources of a data controller (that is a person or organisation who determines how personal data should be processed).
The ICO has noted that ‘as a general rule, a data controller with substantial financial resources is more likely to attract a higher monetary penalty than a data controller with limited resources for a similar contravention of the data protection principles’. An early payment discount of 20 per cent is available to a data controller who pays the penalty within 28 days of receipt of a monetary penalty notice.
A serious breach
If the ICO is satisfied that a serious breach of the DPA has occurred, the following procedure will apply: the ICO will serve a ‘notice of intent’ on the data controller. The data controller then has an opportunity to make representations about the issue of a monetary penalty notice and/or the proposed size of the fine. The ICO must then consider any representations made by the data controller and decide whether or not to proceed with the monetary penalty notice or to vary it (for example by reducing the size of the fine) and inform the data controller of its decision. The data controller can appeal to the Tribunals Service against a monetary penalty notice.
Deterrent
Although the ICO has commented that the purpose of the fines is to ‘act as a deterrent and promote compliance with the DPA’, the ICO has indicated that it will not hesitate to impose these sanctions ‘in the most serious cases where organisations disregard law’.
Therefore, organisations in the social housing sector would be well advised to keep their data protection policies under continuous review and to take prompt steps to rectify matters upon becoming aware of a specific risk of data loss.
Notice of Intent
If a Notice of Intent is issued by the ICO, this may assist in demonstrating that reasonable steps have been taken by the data controller to prevent a breach of the DPA. On this basis, the ICO may decide not to issue a monetary penalty notice or to reduce the amount of the fine and proceed with a varied monetary penalty notice.
Have your say
You must sign in to make a comment