LloydLaw LLP

On 6 April 2010 serious breaches of the Data Protection Act 1998 (the “Act”) became punishable with a fine of up to £500,000.

The UK Information Commissioner’s Office (the “ICO”) has been given new powers to serve a civil monetary penalty notice on data controllers in those cases where a breach of the Act was deliberate or reckless and was likely to cause substantial damage or substantial distress.

The ICO has issued guidance on the circumstances in which a fine will be imposed and the factors affecting the amount. The Guidance indicates that a “serious contravention” could include failure to ensure adequate security measures (described as “use of encrypted files and devices, operational procedures, guidance etc”) resulting in the loss of a compact disc containing personal data.

In terms of whether a data controller could have known or ought to have known of the risk there might be a serious breach, the Guidance indicates that it’s an objective test and the Commissioner will expect the standard of care of a reasonably prudent data controller. The Guidance provides details of the sort of “reasonable steps” a data controller is expected to take.

It appears as if the ICO is hoping the introduction of these new powers will act as a deterrent, but that it will not be necessary to use the full extent of its powers. That said, there’s always the chance that the next big data security breach could be used as an example. Given the number of contraventions, it is very much a question of when a huge fine will be handed out, rather than if it will happen.