The Information Commissioner has the power to levy fines of up to £500,000 for breaches of the Data Protection Act 1998. So far, a number of fines have been issued, with the largest fine to date of £120,000 being issued to Surrey Council on 9 June 2011 after sensitive personal information was emailed to the wrong recipient on three separate occasions.
The Information Commissioner, with the recent significant fine has demonstrated that, where the circumstances warrant it, he will not be afraid to impose significant penalties.
Generally, the Information Commissioner has been considered to take a pragmatic approach in assessing and serving monetary penalties. Christopher Graham, the Information Commissioner, explained that in the case of Surrey County Council “This significant penalty fully reflects the seriousness of the case. The fact that sensitive personal information relating to the health and welfare of 241 vulnerable individuals was sent to the wrong people is shocking enough. But when you take into account the two similar breaches that followed, it is clear that Surry County Council failed to fully address the risks of sending sensitive personal data by email until it was far too late”.
The Information Commissioner has provided guidance on how fines are calculated and in what circumstances they will be applied.
As set out in the monetary penalties guidelines, “monetary penalty notices are only designed to deal with serious contraventions of the data protection principles”.
The Information Commissioner must be satisfied that there has been a serious contravention of the Data Protection Act, the contravention was of a kind likely to cause substantial damage or substantial distress; and either, the contravention was deliberate, or the data controller knew or ought to have known that there was a risk that the contravention would occur and that it was of the kind likely to cause substantial damage or distress and failed to take reasonable steps to prevent it.
How is the fine calculated?
Section 4 of the guidance on Monetary Penalties issued by the ICO sets out how monetary penalties will be calculated.
The Information Commissioner has indicated that the ICO enforcement team and the non-executive directors at the ICO assist him in the calculation of an appropriate remedy.
The Information Commissioner will consider:
• The nature of the contravention, whether it is a one-off or part of a series;
• The effect of the breach, whether there was or may have been substantial harm or distress caused;
• Behavioural issues, what steps were taken by the organisation to prevent the breach;
• Impact on the data controller, for example, taking into account the sector, size and financial situation of the data controller as well as the likely impact of the penalty on the data controller in terms of finances and reputation; and
• Other considerations.
The Information Commissioner has insisted that it is not its intention to cripple the provision of public services by issuing enormous fines to councils, or to compound breaches of data security by issuing such large fines that private data controllers are forced out of business; therefore, it considers the impact of the fine on the data controller. The intention of the fines is to encourage responsible processing of personal data.
Ways to avoid or reduce fines
As the ICO is seeking to encourage responsible processing of personal data, it has stated that if an organisation requests a data protection audit by the ICO, it will not receive a civil monetary penalty in respect of any shortcoming in good practice that are discovered. The organisation will instead receive a plan and timetable in which to meet such shortcomings.
Another way to reduce or prevent fines from occurring is to ensure that action is taken to minimise the chances of any breach, and in the event of a breach occurring, to minimise its impact and ensure that it does not re-occur.
The Information Commissioner has highlighted that one of the reasons for the fine was that Surrey County Council failed to take any steps to prevent the mistake from occurred again, and indeed it did, twice more. The message is clear, organisations will pay the price for inaction.
In the event that a penalty will be issued, organisations will be given advance warning and provided with an opportunity to give reasons as to why it should be lowered.
As well as the fines, there is also the media coverage and possible reputational damage to consider in the event of a penalty being issued. Therefore, organisations would be well advised to undertake an internal data protection audit to ensure compliance and avoid a fine being levied.