Legal Updates

Data Protection: New Penalties – Information Commissioner - Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010

The Information Commissioner will be granted new powers under (SI 2010/31),  the Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 (“Regulations”) to be able to impose civil monetary penalties on data controllers for non-compliance. These Regulations will come into force on 6 April 2010.

Summary

• These Regulations make provision in relation to the power of the Information Commissioner to impose monetary penalty notices on data controllers under section 55A of the Data Protection Act 1998 (“the Act”)
• Regulation 2 prescribes £500,000 as the maximum amount the Information Commissioner may impose as a monetary penalty

• Regulation 3 prescribes the information that the Information Commissioner must include in a notice of intent, which the Information Commissioner serves on a data controller when the Information Commissioner intends to impose a monetary penalty
• Regulation 4 prescribes the information the Information Commissioner must include in a monetary penalty notice.

Non Compliance

The Regulations set out the maximum amount of monetary penalty and the minimum details to be contained in a notice of intent and in a monetary penalty notice (see below).

The Information Commissioner is able to serve a monetary penalty notice on a data controller if the Information Commissioner is satisfied there has been both a serious contravention by the data controller of the Eight Data Protection Principles and it was likely to cause substantial damage or distress. Such contraventions must be either deliberate or something which the data controller knew would occur (or ought to have known) and of a kind likely to cause substantial damage or substantial distress, but in respect of which the data controller failed to take reasonable steps to prevent such occurrence.

• A penalty for knowingly or recklessly failing to comply with the data protection principles so as to create a substantial risk that damage or distress will be caused to any person
• A power for the Information Commissioner to inspect personal data and the circumstances surrounding its processing in order to assess whether or not any processing of the data is carried out in compliance with the Act
• A power for the Information Commissioner to require a data controller to provide him with a report by a skilled person
• Enhanced enforcement powers to enable the Information Commissioner to bring seriously unlawful processing to an immediate halt, to place formal undertakings on a statutory basis and to enable the Information Commissioner to take enforcement action to prevent breaches of the Act that are likely to occur
• Information notices that can be served on any person rather than just a data controller.

Notices of intent

The notice of intent will contain the following information:-

• the name and address of the data controller;
• the grounds on which the Commissioner proposes to serve a monetary penalty notice, including—

o    the nature of the personal data involved in the contravention,

o    a description of the circumstances of the contravention,

o    the reason the Commissioner considers that the contravention is serious,

o    the reason the Commissioner considers that the contravention is of a kind likely to cause substantial damage or substantial distress, and

• whether the Commissioner considers that section 55A(2) applies or that section 55A(3) applies, and the reason the Commissioner has taken this view; 

• an indication of the amount of the monetary penalty the Commissioner proposes to impose and any aggravating or mitigating features the Commissioner has taken into account; and 

• the date on which the Commissioner proposes to serve the monetary penalty notice.

Monetary penalty notices

The notice will contain the following information:-

• the name and address of the data controller;
• details of the notice of intent served on the data controller;
• whether the Commissioner received written representations following the service of the notice of intent;
• the grounds on which the Commissioner imposes the monetary penalty, including—

o   the nature of the personal data involved in the contravention,

o   a description of the circumstances of the contravention,

o   the reason the Commissioner is satisfied that the contravention is serious,

o   the reason the Commissioner is satisfied that the contravention is of a kind likely to cause substantial damage or substantial distress, and

• whether the Commissioner is satisfied that section 55A(2) applies, or that section 55A(3) applies, and the reason the Commissioner is so satisfied;
• the reasons for the amount of the monetary penalty including any aggravating or mitigating features the Commissioner has taken into account when setting the amount;
• details of how the monetary penalty is to be paid;
• details of, including the time limit for, the data controller’s right of appeal against—

o   the imposition of the monetary penalty, and

o   the amount of the monetary penalty; and

• details of the Commissioner’s enforcement powers under section 55D(3).

RT Coopers are experts in Data Protection and we conduct data protection audits. If you require further information please contact us at

[email protected]

 or visit

http://www.rtcoopers.com/practice_dataprotection.php

© RT COOPERS, 2010. This Briefing Note does not provide a comprehensive or complete statement of the law relating to the issues discussed nor does it constitute legal advice. It is intended only to highlight general issues. Specialist legal advice should always be sought in relation to particular circumstances.