Data protection penalties: the ICO bares his teeth

The Information Commissioner’s Office (ICO) has announced the first monetary penalties (PDF) under new provisions introduced into the Data Protection Act earlier this year.

Hertfordshire County Council has had a penalty of £100,000 imposed on it after faxing highly-sensitive material (in one case relating to child sexual abuse) to the wrong recipients, while employment services company A4e faces a penalty of £60,000 after losing an unencrypted laptop containing the details of 24,000 users of community legal centres. The ICO will no doubt be glad that its first use of its new powers have allowed it to send a clear signal to both the public and private sector.

For a long time the Data Protection Act was perceived to lack teeth: fines for breaching the Act could only be imposed by the Information Commissioner if a data controller breached an enforcement order put in place after a previous breach. This meant that even very serious breaches (such as when HMRC lost details of millions of child benefit recipients) could go unpunished if they were a “first offence”.

The new monetary penalties regime (s.55A DPA) allows the Information Commissioner to impose civil monetary penalties where there has been a serious contravention of the Data Protection Act (occurring on or after 6 April 2010) of a kind likely to cause substantial damage or substantial distress, and where either:

  • the contravention was deliberate; or
  • the data controller knew or ought to have known about the risk (and the likely consequences) but failed to take reasonable steps to prevent it.

The maximum penalty that can be imposed is £500,000.

The civil penalties regime significantly alters the risk profile for data protection breaches. Previously the main consequences for most organisations from a data protection breach have been reputational rather than financial. The ICO has shown how keen they are to use the new powers to make data protection a far higher priority for businesses and other organisations. Hertfordshire County Council and A4e will surely be only the first of many cases over the next few months and years.