Information Commissioner gets power to fine for privacy breaches

Out-Law News | 12 May 2008 | 5:18 pm | 3 min. read

The Information Commissioner has been given the ability to fine organisations if their operational procedures cause a gross breach of data protection principles. The move, which had not been expected by privacy experts, follows a Government defeat in the House of Lords.

The power of the Commissioner to fine was introduced into the Criminal Justice and Immigration Bill  because the House of  Lords backed an Opposition amendment to that Bill that would have made any intentional or reckless disclosure of personal data a criminal offence, with very few exceptions. However, that offence was so widely drafted that it effectively risked criminalising mundane activities such as the passing of personal details to suppliers for business purposes.

During the debate that introduced that amendment, Lord Hunt of Kings Heath for the Government argued that the move to introduce the offence was premature.

Lord Hunt said: "the Cabinet Office is due to publish the findings of its review into data handling procedures in government which will describe how the Government have put in place a core set of minimum mandatory measures to protect information that applies across central government". 

He added that the Government was "committed in principle to the introduction of new sanctions under the Data Protection Act 1998 for the most serious breaches of its principles" adding that changes should only occur "in the light of the recommendations made in the various reports and reviews we are embarked on at the moment".

Notwithstanding, the Lords passed the amendment by four votes.

Dr Chris Pounder, an information law specialist at Pinsent Masons, the law firm behind OUT-LAW.COM, and editor of Data Protection Quarterly, said that vote left the Government with three political choices when the revised Bill returned to the House of Commons.

"The Government could leave the new criminal offence in the Bill, but it knew that the offence was controversially wide; it could ask its MPs to reject the amendment but risk headlines that the Government was dithering in the face of widespread managerial failings to secure personal data; or it could make alternative proposals," he said.

The Government chose the latter course of action, a move that has now gained approval of both Houses of Parliament. As the Criminal Justice and Immigration Bill is now an Act, these changes are now part of the Data Protection Act.

"The new powers were not expected," said Dr Pounder. " I suspect they've come as a surprise to the Information Commissioner as well."

The Information Commissioner now has the ability to serve a "monetary penalty notice" on a data controller. The power will be exercisable in circumstances where the Information Commissioner is satisfied that a data controller has committed a serious contravention of the data protection principles. The Act contains eight principles .

However, the Commissioner has to be satisfied that the contravention was either deliberate or that the data controller knew, or ought to have known, of the contravention risk, and that the contravention would be likely to cause substantial damage or substantial distress, but he failed to take reasonable steps to prevent that contravention.

The Commissioner will be able to determine the amount of the monetary penalty in accordance with guidelines that he will make, albeit the maximum penalty will be set out in regulations yet to be published by the Secretary of State. The power will not apply retrospectively. Sums recovered by the Information Commissioner by monetary penalties will be payable into the Consolidated Fund, so the Commissioner will not have a budgetary incentive to pursue those who might have breached the data protection principles. There will be an Appeal process involving the Tribunal.

Dr Pounder said some details of the new powers have yet to be published.

"The Government amendments are paving measures that allow the Secretary of State to define the nature of the monetary penalty notices in regulations, he said. "Until we see these regulations we do not know the limits of when the Information Commissioner can raise a penalty."

"In practice, it is difficult to see how a monetary penalty notice can be served if an enforcement notice has not been served," he added. "This means that if there is a serious data protection problem and the Commissioner wants to hit the pocket of an organisation, then he would have to serve an enforcement notice as well".

The Information Commissioner had previously called for a new criminal offence of "knowingly or recklessly failing to comply with the data protection principles so as to create a substantial risk that damage or distress will be caused to any person". That call appears to have been rejected with the introduction of a monetary penalty notice.

In the Commons, the Government said  that "criminal liability is generally reserved for unlawful behaviour that is sufficiently serious to merit the most stringent liability that the law can impose" and that a new criminal offence related to the principles "would be a disproportionately heavy-handed penalty where there has been no intent or wilfulness in the data controller’s non-compliance".

In addition "Criminal proceedings could result in a costly and time-consuming process for data controllers and the Commissioner" and that the criminal courts might "not have the necessary technical expertise to deal with data issues".

Global Term