Out-Law News | 05 Mar 2014 | 12:18 pm | 4 min. read
Data protection law specialist Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said that a previous increase in the maximum level of fine that could be issued for civil breaches of the DPA had prompted organisations to take the issue of data protection seriously.
She said that as part of its current review of criminal sanctions under the DPA being undertaken by the Ministry of Justice, the government should consider strengthening the civil monetary penalty regime under the Act too.
"In 2010, when the ICO was first handed the power to issue civil monetary penalty of up to £500,000 to organisations that breach the DPA, there was a marked change in businesses' attitude towards data protection," Wynn said. "Businesses began taking more seriously the need to put in place appropriate security against the loss or theft of the personal data they were responsible for, and they also improved the due diligence they conducted on third party processors' handling of the data too."
"However, it still remains the case that for the very biggest companies, a fine of £500,000 would represent a drop in the ocean and a small part of the overall costs those organisations would encounter if they experienced a major data breach," she said. "There would be another step-change in the seriousness with which organisations address data security if they could be fined a more significant sum. It could even act as a driver towards a market shift in the enhancement of cloud providers' security offerings since organisations would have a greater onus on ensuring data security when they are outsourcing processing and storage to a cloud provider."
"Changes to the civil monetary penalty regime are already envisaged under the EU's draft General Data Protection Regulation. A similar approach to the one envisaged under those rules, where the level of penalty organisations could face for a data breach would be calculated on the basis of a percentage of their annual turnover, would act as a major deterrent to non-compliance from the largest companies and drive better data protection practices across industry. This would in turn better prepare organisations for compliance with the new Regulation when it is finally introduced," Wynn added.
Earlier this week justice minister Simon Hughes said that the UK government had begun a review of the sanctions available for breaches of the DPA. He said the review would help it "decide whether to increase the penalties as the law permits".
A spokesman for the Ministry of Justice confirmed to Out-Law.com that the review is concerned with the criminal sanctions regime under the DPA, rather than the penalties available in civil cases.
Section 55 of the Data Protection Act (DPA) states that it is generally unlawful for a person to "knowingly or recklessly without the consent of the data controller obtain or disclose personal data or the information contained in personal data, or procure the disclosure to another person of the information contained in personal data" without the consent of those who control the data.
The current penalty for committing a section 55 offence is a maximum £5,000 fine if the case is heard in a magistrates court and an unlimited fine for cases tried in a crown court.
Under the Criminal Justice and Immigration Act (CJIA) the justice secretary has the power to introduce new regulations that would allow a custodial sentence penalty to be available for the offences under Section 55 of the DPA, but those powers have yet to be used. In 2008 the Act came into force without those powers being immediately available.
In a speech given at the ICO's Data Protection Practitioner Conference in Manchester on Monday, Hughes said that information commissioner Christopher Graham has argued "eloquently" for the powers under the CJIA to be invoked and confirmed that a review had been started within government on whether to do so.
"Serious misuse of personal data by any sector causes significant distress and damage to ordinary citizens and undermines public trust in public institutions and business which in turn can undermine economic growth," Hughes said.
The justice minister also confirmed that the government would change the law to "prohibit a person from requiring someone else to produce certain records [relevant to those individuals] as a condition of employment, or for providing a service, other than where the relevant record is required by law or where it is justified in the public interest". This is colloquially known as a forced subject access request.
"The powers to ban enforced subject access requests, under the yet-to-be-enforced Section 56 of the DPA, are less relevant than they may be been previously," Wynn said. "This is in part because, in the context of criminal record checks, organisations can follow a process for obtaining relevant information for their checks through the Disclosure & Barring Service and do not need prospective new staff to submit a subject access request to the police which would reveal all the information held about those individuals."
"Additionally, businesses are less likely to require individuals to submit a subject access request with other organisations when seeking to agree a contract with those individuals over the provision of services. In the age of big data, they do not need individuals to carry out subject access requests to find out more about them. It is instead increasingly common for individuals to volunteer information or alternatively allow companies to track their preferences and activity if they are offered access to innovative goods or services in return, or a cheaper or better value product offering," she said.
"Where the Section 56 powers may have an effect is in the claims management industry where companies often require individuals to submit a subject access request with other organisations to uncover evidence they can use in acting on behalf of those individuals in making claims against those organisations," Wynn added.