ICO Issues Further Guidance on its Monetary Penalties Powers
The UK’s data privacy regulator, the Information Commissioner’s Office (ICO) has recently issued further statutory guidance on its powers to impose monetary penalties. This guidance builds on an earlier statutory guidance note issued by the ICO back in January 2010, by providing greater clarification on the key factors in the ICO decision process when imposing monetary penalties. Broadly, the guidance emphasises that monetary penalty notices are intended for the most serious breaches only, with the objective of encouraging compliance, rather than punishing infringers for minor or technical breaches. An important take-away from the guidance is the weight the ICO gives to conscientious efforts to avoid breaches when they occur, those efforts notwithstanding. Thus, monetary penalties may be imposed or not for the same offense (or the amount of the penalty varied) depending on an organization’s compliance efforts. Putting in place a comprehensive compliance program, and actively taking steps to ensure the program is followed through, is therefore a helpful defence against the risks of monetary penalties.
The ICO has powers to impose monetary penalties for breaches of both the Data Protection Act 1998 (the DPA) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the “E-Privacy Regulations”). These rules empower the ICO to issue monetary penalty notices, of up to £500,000, for breaches of the DPA or E-Privacy regulations, as relevant, which meet the following conditions:
1. the breach is a ‘serious’ breach – The guidance states that the ICO will judge this objectively, taking into account the expectations of the data subject and society as a whole:
- Practical examples (DPA breach): failure to take adequate security measures leading to loss of personal data;
- Practical examples (E-Privacy Regulations breach): making a significant volume of automated marketing calls without consent, leading to distress, or covertly using mobile location data; and
2. the breach is of a kind likely to cause substantial damage (financially quantifiable loss) or substantial distress (injury to feelings, harm or anxiety) – ‘Substantial’ is taken by the ICO to mean “considerable in importance, value, degree, amount or extent”, therefore damage which, when suffered on an individual level, is not substantial, may be considered substantial if suffered by large numbers of individuals. On the other hand, a single breach may be sufficiently substantial to warrant a monetary penalty:
- Practical examples (DPA breach): disclosure of inaccurate personal data in an employment reference, causing that job opportunity to be lost;
- Practical examples (E-Privacy Regulations breach): distress caused to large numbers of individuals by repeated automated marketing calls which are difficult to opt out of; and either
3. the breach was caused deliberately:
- Practical examples (DPA breach): personal data collected strictly for the purposes of a competition is knowingly used for other commercial purposes, such as tracing databases or selling to third parties;
- Practical examples (E-Privacy Regulations breach): repeatedly sending marketing faxes or calling phone numbers listed on the fax preference service and telephone preference service, respectively, or repeatedly sending marketing SMS without consent and charging a premium rate for opt-out messages; or
4. the infringing person / entity must have known or ought to have known that there was a risk that a contravention would occur (and that such a contravention would be of a kind likely to cause substantial damage or substantial distress) but failed to take reasonable steps to prevent it – This is an objective test, judged against the standard of the reasonably prudent person:
- Practical examples (DPA breach): a data controller is warned by members of its internal team that employees are using sensitive personal data, but does not carry out a risk assessment or put in place any compliance processes;
- Practical examples (E-Privacy Regulations breach): an entity is aware that its number blocking system for preventing calls being made to opted out numbers may be faulty, but does not investigate the likelihood of a fault or carry out any testing or preventative action;
- Practical examples (‘reasonable steps’): carrying out a risk assessment, taking steps to address the risks of handling personal data, the establishment of good governance and personal data specific policies and practices, and rectifying issues and potential breaches as soon as practicably possible.
The amount of the monetary penalty will be determined by the ICO after consideration of the key factors discussed above, paying particular attention to the following:
(a) the nature of the data;
(b) the number of individuals involved;
(c) the number of similar or previous breaches caused by the infringing entity;
(d) the nature and scale of the damage or distress caused to individuals;
(e) the overall governance and compliance attitude of the infringing entity and responsiveness to ICO queries and recommendations; and
(f) the size and financial resources of the infringing entity.
As discussed above, the recent guidance confirms that ICO’s approach in practice of giving considerable weight to an organization’s compliance efforts. In relation to both the decision to impose a monetary penalty in the first place, and subsequently the level of that penalty, the ICO will consider whether reasonable compliance steps have been taken to prevent the breach (and if so, a monetary penalty is unlikely to be imposed, unless the infringing act was deliberate), and the compliance attitude of the organisation. This emphasis highlights the importance of taking active and visible steps to achieve compliance as far as possible.
The monetary penalty notice is one of a range of sanction options available to the ICO. The ICO may also:
(a) issue an enforcement notice, requiring the data controller to remedy the infringing data processing;
(b) issue information or special information notices, requiring the data controller to provide information to assist the ICO in determining whether the data controller has complied with the DPA;
(c) carry out a voluntary assessment of the data controller’s compliance with the DPA, with the data controller’s consent;
(d) serve an assessment notice to carry out a mandatory assessment of compliance with the DPA; or
(e) carry out an audit for compliance with the E-Privacy Regulations.
A failure to comply with any one of these notices is an offence, as are a number of other breaches of the DPA (such as failing to notify with the ICO as a data controller, or unlawfully obtaining personal data). All offences are punishable by a fine on conviction (and officers of a breaching organisation may be individually liable if they consented to the offence or were neglectful in their duties).
Monetary penalties therefore play a relatively minor role in the ICO’s enforcement practices, and are generally only to be imposed for the most serious of breaches where previous, more informal, enforcement steps by the ICO have failed to rectify any potential breach. As the ICO gains more experience however in imposing such monetary penalties, and now the maximum level has been increased to £500,000, we may start to see such penalties imposed with greater frequency and at higher levels. However, the ICO’s monetary penalty powers for data privacy enforcement are put into stark perspective by the fining powers of other industry regulators such as the Financial Services Authority (FSA), who have far greater fining powers for data security breaches which fall within their remit. The largest fine imposed by the ICO to date is a monetary penalty of £120,000 against Surrey County Council (as set out in our post on this blog of 14 June 2011), whereas the FSA’s data security fining record currently stands at £2.27 million against the UK business of Zurich Insurance. The reputational damage following the imposition of a monetary penalty from the ICO should not be underestimated however, and businesses operating in the UK should take advantage of the ICO’s generally pragmatic approach by working with the ICO and following its guidance and recommendations to ensure that the issue of formal enforcement action and monetary penalties does not arise in practice.