Words and sentences

Data security incidents have featured all too regularly in the news in recent times. This has been due to a multitude of cases in which organisations in both the public and private sectors have lost significant amounts of personal information. Prompted by diminishing public trust and confidence in the proper handling of our personal information, the UK Government is finally minded to take action. Recent weeks have, in particular, seen a number of important developments which will result in new and improved enforcement powers for breaches ofUK data protection laws.

Prison sentences for misuse

The Ministry of Justice began by publishing on 15 October 2009 a consultation paper (CP22/09) on the proposed introduction of custodial sentences for the misuse of personal data. Section 77 of the Criminal Justice and Immigration Act 2008 (CJIA) gives the Home Secretary power to increase the penalties presently available for offences committed under s 55 of the Data Protection Act 1998 (DPA), but until now the power has not been used.

The UK Government has proposed that those convicted of the knowing or reckless misuse of personal data be liable to imprisonment for a maximum two years on indictment and 12 months on summary conviction. This would be in addition to the current sanctions of an unlimited fine on indictment and a fine not exceeding the statutory maximum (£5,000) on summary conviction.

As provided for by s 78 of CJIA, a new defence would also be introduced for offences under s 55 of DPA. This would mean that if a person obtained, disclosed or procured personal data for what is known as “the special purposes”(i.e. journalistic, artistic or literary purposes) with a view to publication of journalistic, literary or artistic material, and that person acted in the reasonable belief that the obtaining, disclosing or procuring of such information was in the public interest, then no offence under s 55 will have been committed.

There have been longstanding concerns that the current provisions of the DPA do not serve as a sufficient deterrent to those who breach s 55, whether they be journalists, private investigators, tracing agents, or police officers and staff who misuse the police national computer. This lack of “bite” was commented on recently by the courts when Matthew Single, a former member of the BNP, was convicted of posting the party’s membership list on the internet without its permission.

The district judge remarked that “it came as a surprise to me, as it will to many members of the party, that to do something as foolish and as criminally dangerous as you did will only incur a financial penalty”. Even then Mr Single was fined a paltry £200, as the judge took into account the fact that he was dependent on state benefits.

The Information Commissioner, Christopher Graham, has himself described the existing penalties under the DPA as “pathetic”. In his response to the MoJ consultation he argued strongly that custodial sentences at the proposed level are necessary to provide an “effective deterrent against the illegal trade in personal data”. The recent announcement that rogue employees at T-Mobile had sold on thousands of customer account details to brokers for use by T-Mobile’s competitors is a timely reminder that such unlawful trade is thriving.

The consultation ended on 7 January, with a response set to be published by the end of the month. It is clear, however, that the UK Government is now persuaded of the need to act, and public sentiment is likely to be strongly in favour of the proposals. It is envisaged that the proposed new penalties would take effect in April 2010.

Civil fines for serious breaches

On 9 November the Ministry of Justice issued a second consultation paper (CP48/09) entitled “Civil Monetary Penalties: Setting the maximum penalty”. By way of background, s 144 of CJIA amended the DPA by giving the Information Commissioner the power to impose civil monetary penalties for serious breaches of the DPA. Although the CJIA received Royal Assent on 8 May 2008, s 144 has not yet entered into force.

Once implemented, s 144 will amend the DPA by introducing new ss 55A-55E, to give the Information Commissioner the power to impose a civil monetary penalty on data controllers where:

(a) there has been a serious breach of one or more of the eight data protection principles,

(b) the breach was of a kind likely to cause substantial damage or substantial distress, and

(c) either (i) the breach was deliberate; or (ii) the data controller knew or ought to have known that there was a risk that the breach would occur, and that such a breach was of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the breach.

Before a penalty can be imposed the Information Commissioner will have to issue the organisation concerned with a notice of intent. This notice must tell the organisation of its right to make representations to the Commissioner before a final decision is made. There will also be a right of appeal to the Information Tribunal (shortly to be replaced in terms of the Tribunals, Courts and Enforcement Act 2007) once a penalty notice has been served.

As the Ministry of Justice has already informally consulted with certain stakeholders, this second consultation invited comment on one issue only, the proposed maximum penalty. The question was simple: Do you consider that a penalty of up to £500,000 provides the ICO with a proportionate sanction for serious contravention of the data protection principles?

In arriving at its proposal, the MoJ decided against suggesting a system based on a percentage of an organisation’s turnover, as used by other regulators. It did so on the basis that this would impose a greater administrative burden. The MoJ does, however, consider that the maximum penalty should be no higher than 10% of the highest annual turnover of a small company.

The proposed maximum fine is to be contrasted with the powers available to other regulators such as the Financial Services Authority when dealing with regulated firms. To put this into context, in July 2009 three HSBC firms, HSBC Life (UK) Ltd, HSBC Actuaries and Consultants Ltd and HSBC Insurance Brokers Ltd, were in aggregate fined over £3 million by the FSA for data security failings.

It appears then that the Information Commissioner can only dream of having such powers. Nevertheless, the proposal represents a significant change in current practice and should ensure that data protection compliance features prominently in discussions at executive level.

This consultation ended on 21 December and a response was expected to be published by 11 January. It is envisaged that the new penalties will take effect possibly at the same time that custodial sentences for the misuse of personal data take effect.

Draft ICO guidance

The consultation also follows swiftly on from draft guidance issued by the Information Commissioner’s Office on 4 November on monetary penalties. The guidance, which the Commissioner will be required to issue by s 55C of DPA, explains how he intends to interpret his powers to impose monetary penalties. In particular, it explains what he regards as a “serious” breach of the data protection principles. Perhaps unsurprisingly, he gives the now all too familiar example of an organisation failing to take adequate security measures resulting in the loss of a CD containing personal data.

The guidance also addresses the “reasonable steps” that organisations are expected to take to prevent a breach in the first place (such as having suitable policies and procedures and adhering to the Commissioner’s codes of practice and guidance), and how he will interpret terms such as “substantial”, “damage”, “distress”, “reckless”, and “deliberate”.

It goes on to address issues such as when the Information Commissioner would consider it right to issue a monetary penalty notice, how the level of the penalty will be determined, what a notice of intent to issue a penalty will contain, the scope for challenging a notice of intent, the monetary penalty notice, and the right of appeal.

The Coroners and Justice Act 2009

And if all that was not enough to be going on with, the Coroners and Justice Act 2009 received Royal Assent on 12 November. The Act amends the DPA in a number of ways by giving the Information Commissioner enhanced powers. He now has the right to serve Government departments and other designated public authorities and persons with an “assessment notice” so that he can establish whether they have complied or are complying with the data protection principles. This new power is contained in ss 41A-41C of DPA as amended. The Commissioner’s powers in relation to warrants for entry and inspection, as contained in sched 9 to DPA, have also been extended. The Commissioner is also now required to issue a code of practice on data sharing, as provided for and regulated by ss 52A-52E of DPA as amended.

Going forward

Taken together, these changes make up the most significant reform of the current UK data protection regime since it was implemented in 2000. They serve as an important wake-up to organisations by reminding them of the need to take data protection seriously or face the consequences.

David Gourlay is a partner with McClure Naismith LLP