Information Commissioner offers guidance on civil monetary penalties

Last Thursday I attended the Holyrood Magazine’s Data Protection 2011 conference, and during the afternoon workshop entitled “new powers and penalties regime, protecting and sharing sensitive data”, the Information Commissioner Christopher Graham provided an interesting insight into how the Information Commissioner’s Office (“ICO”) calculates civil monetary penalties levied against data controllers which contravene the Data Protection Act (“DPA”).

As you may be aware, a penalty of up to £500,000 can now be levied by the ICO when one of the eight principles of the DPA have been seriously breached.  A penalty is only applicable if the ICO is convinced that the breach was deliberate or that the data controller knew, or ought to have known, of the contravention risk, and that the contravention would be likely to cause substantial damage or substantial distress and that the controller failed to take action to stop it.

The Information Commissioner indicated yesterday that the ICO enforcement team and the non-executive directors of the ICO assist him in calculating an appropriate penalty, and regard is paid not just to the circumstances of the contravention, but also the nature and size of the contravening organisation.

It was also stated that the ICO does not wish to cripple provision of public services by issuing huge penalties to councils, or to compound breaches of data security by putting private data controllers out of business. Rather, the intention of the penalties is to encourage responsible processing of personal data.

With that aim in mind, if an organisation asks the ICO for an audit, the organisation won’t get a civil monetary penalty if a shortcoming in good practice is discovered.  Instead, it will be provided with a plan to amend any shortcomings, and an agreed timetable within which to make the amendments.

In the event that an organisation is charged with a penalty for a contravention of the DPA, it will also be given advance warning, and asked to provide reasons as to why the penalty should be lowered.

The Commissioner acknowledged that there had been criticism of the decision to levy a “small” £60,000 fine against A4e Limited for not encrypting sensitive data on an laptop that was subsequently stolen.

However, he said that the fine was part of a calibration process in which the maximum £500,000 fine would be reserved for only the most serious contraventions. Although the Information Commissioner didn’t elaborate further, it sounds like that the plan is to reserve the £500,000 penalty in order to maximise the media coverage/adverse reputational impact of the contravention which eventually gives rise to the maximum penalty being applied.

Given that some parties feel that the £500,000 cap on the penalty is actually too low, keeping the maximum penalty under wraps in order to maximise its eventual impact may prove to be a very clever strategy.

0 Responses to “Information Commissioner offers guidance on civil monetary penalties”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Twitter: @BrodiesTechBlog feed

March 2011
« Feb   Apr »

%d bloggers like this: