Watch out, the Information Commissioner is about….
Tougher penalties for breaches of the Data Protection Act
The provisions of the Criminal Justice and Immigration Act 2008 (the “Act”) relating to the Data Protection Act 1998 are yet to come into force (although they are likely to come into force in early April 2010), but when they do, they will have the effect of toughening up penalties for certain offences under the Data Protection Act.
The Act will amend the penalties for the offence under the Data Protection Act where personal information is unlawfully obtained, disclosed or sold without the consent of a Data Controller (a Data Controller is any person who determines the purposes for which, and the manner in which, any personal data is to be processed). The new maximum penalties will mean that a person found guilty of the offence could face up to two years imprisonment, a fine or both.
The Act also gives the Information Commissioner new powers to fine individuals or companies in certain cases, without having to commence court proceedings. If the Information Commissioner is satisfied that there has been serious contravention of the principles of the Data Protection Act, which was of a kind likely to cause substantial damage or distress and the contravention was either deliberate or the Data Controller knew or should have known that there was a risk that the contravention would occur, and failed to take reasonable steps to prevent it, the Information Commissioner may serve a monetary penalty notice.
The maximum fine is capped at £500,000 and an early payment discount of 20% is available and while it is unlikely that these powers will be used except in the most serious cases these provisions do provide the Information Commissioner, who has previously been criticised in some quarters for not taking firm enough action against offenders, with significantly more weapons to deal with breaches of the data protection legislation.
Increase in Fees
The Information Commissioner’s Office (“ICO”) is a government organisation set up to regulate and enforce access to and the use of personal information in the UK. Any Data Controller must be registered with the ICO, or risk facing prosecution and a fine. Nearly all UK businesses will be Data Controllers and should therefore be registered.
Before 1st October 2009, the fee for registration as a Data Processor with the ICO was £35 per year regardless of the size or turnover of the organisation. However, from 1st October 2009, Data Controllers who either:
- have a turnover of £25.9million or more and 250 or more staff; or
- are a public authority and have 250 or more members of staff,
will have to pay an increased annual fee of £500 when they register or renew their applications. If an organisation does not fall within these thresholds then the fee of £35 per year is still applicable.
If you would like more information on any issues relating to data protection, then please contact either Nick Phillips, a partner in the IT/IP Department or Denise Herrington, a partner in the Corporate and Commercial Department.
