{php}echo $_SESSION['the_Crumb'];{/php}

short lines

Personal data security breaches: at what cost?

February 2010

In March 2009 we reported on the increase in the number of data security breach cases notified to the Information Commissioner’s Office (“ICO”) and the introduction of new powers to impose monetary penalties on data controllers who commit serious contraventions of the data protection principles. See www.kemplittle.com/html/stay-posted/publications/short-lines/data-security-breaches-march-2009.html.

The new powers to impose monetary penalties on data controllers are part of a general strengthening of the ICO’s arsenal taking effect in 2010. Other new enforcement measures will enable the ICO to serve “assessment notices” and will introduce powers for entry and inspection, where assessment notices are not complied with, following changes to the Data Protection Act 1998 (“DPA”) through the Coroners and Justice Act 2009. The categories of data controllers who may be served assessment notices are government departments, but other public authorities may also be included once designated by the Secretary of State. Although private sector organisations are currently excluded, it is possible that categories of private sector organisations could be designated at a later date.

Whilst the development of the scope of ICO’s additional powers of assessment and inspection should be monitored, it is the ICO’s ability to issue monetary penalties which is of greatest interest to most data controllers. Almost a year on from our initial consideration of these abilities and in an environment where the public is becoming ever increasingly security conscious, we:

provide an update on the level of monetary penalties;
consider when monetary penalties are likely to be imposed in light of new guidance issued by the ICO; and
review how data security breaches by data processors may impact on the level of any monetary penalty.

Maximum penalty

In the autumn of 2009 the Ministry of Justice undertook an impact assessment on civil monetary penalties for the ICO. The impact assessment considered various options for the maximum amount of the monetary penalty, which ranged from £50,000 to £2.5 million to 10% of the data controller’s annual turnover. The impact assessment concluded that a maximum penalty of £500,000 was preferable on the basis that it would act as an effective deterrent for the majority of data controllers and was the most practical to enforce. The Government’s response to a consultation paper on the amount of the penalty concluded similarly.

On 12 January 2010, statutory guidance on civil monetary penalties produced by the ICO and approved by the Secretary of State for Justice was laid before Parliament (“Guidance”)[1]. The Guidance sets out how the ICO will decide whether to impose a penalty, the amount of the penalty, as well as details of the enforcement process. With legislation both passed and being passed[2], the ICO’s powers to impose monetary penalties are expected to come into force on 6 April 2010.

We examine how the ICO will determine (i) whether to impose a penalty; and (ii) the amount of any penalty further below.

Circumstances in which a monetary penalty will be imposed

Section 55A of the DPA provides that a monetary penalty notice may be served where there is:

a serious contravention of the data protection principles; and
such contravention is likely to cause substantial damage or substantial distress; and either
the contravention was deliberate; or
the data controller new or ought to have known that there was a risk that such a contravention would occur and that such a contravention would be of a kind likely to cause substantial damage or distress but failed to take reasonable steps to prevent the contravention.

The ICO’s interpretation of some of the terms used in section 55A are set out in the Guidance, but are not subject to discussion here. The Guidance also sets out a list of circumstances which will make the imposition of a monetary penalty more likely. The list includes the following factors:

seriousness of contravention – which may be measured by the nature of the personal data concerned; duration and extent of the contravention; number of individuals affected; and/or whether the contravention was a result of deliberate or negligent behaviour;
likelihood of substantial damage or distress – whether the contravention was of a kind more likely than not to cause substantial damage or distress to one or more individuals;
deliberate contravention – a penalty is more likely to be imposed if the contravention was deliberate or pre-mediated; if the data controller was aware of, but did not follow specific advice relating to the contravention; or the contravention is similar to a series of similar incidents by the data controller;
reckless contravention –the likelihood of a contravention was apparent to a reasonably diligent data controller; the data controller adopted a cavalier approach to compliance and did not take reasonable steps to prevent the contravention; the data controller failed to undertake an assessment of, or recognise any risks in, handling personal data and failed to take steps to address those risks; the data controller had no specific procedures or processes in place for preventing the contravention; and
other considerations – the ICO wishes to deter other data controllers from similar contraventions.

Determination of the amount of the penalty

The Information Commissioner has stated in the Guidance that monetary penalties will be reasonable and proportionate, given the facts of the case and the underlying objective in imposing the penalty. According to the Guidance, the issues to be taken into account in determining the amount of the penalty may include:

the nature of the contravention, which might take into account, for example, the nature of the personal data and number of data subjects affected; whether the contravention was a single incident or one of a series of related incidents; to what extent the contravention was caused or exacerbated by matters outside the control of the data controller (e.g. by a data processor);
the effect of the contravention, in essence whether there was, could be or could have been substantial damage or substantial distress caused to data subjects;
behavioural issues, such as the steps, procedures or processes in place and/or taken by the data controller to avoid a contravention; the action taken by the data controller following the contravention, including whether the contravention was concealed or reported to the ICO; and the extent to which the data controller co-operated with the ICO;
impact on the data controller, taking into account factors such as the size, financial and other resources of the data controller; any financial gain obtained from non-compliance; and any proof of genuine financial hardship supplied; and
other considerations, for example whether there is a point of principle at stake.

Procedure

The Guidance states that a data controller will be informed of the estimated amount of the penalty in a ‘notice of intent’, along with the ICO’s reasoning behind the decision to impose a monetary penalty, amongst other information. The data controller will have at least 21 days beginning on the day after the date of service of the notice to make written representations, for example on the facts and views of the ICO set out in the notice of intent, to the ICO. The ICO must fully consider the data controller’s representations before making a final decision, which may necessitate re-considering whether a monetary penalty is appropriate, and the amount of any monetary penalty. Once a final decision has been made, a monetary penalty notice will be issued and published on the ICO’s website. Where full payment is made within 28 days, an early payment discount of 20% will apply. Data controllers will have the right to appeal against a monetary penalty notice to the General Regulatory Chamber (First tier Tribunal).

Role of data processors in data security breaches

Although monetary penalties can only be enforced on data controllers (as only they and not data processors are responsible for compliance with the DPA) where a data security breach arises as a result of an act of a data processor, the ICO’s guidance indicates that this may be a factor in determining whether or not to impose a monetary penalty and the amount of any that penalty. In particular, the guidance provides that the imposition of a monetary penalty is less likely where: “a contravention was caused or exacerbated by circumstances outside the direct control of the data controller and the data controller had done all that it reasonably could to prevent contraventions of the [DPA]”. The Guidance goes on to cite an example of this being where a data controller has a contract in place with its data processor and properly monitors the data processor’s compliance with the contract. The guidance states that the determination of the amount of the penalty will take into account the same circumstances.

Furthermore, where a monetary penalty notice is issued and a security breach is caused entirely by the actions of a data processor, the guidance gives an example of a response which a data controller may wish to provide as being “a full explanation of the circumstances that led to the breach together with a copy of the contract between the data controller and the data processor and the steps taken by the data controller to ensure compliance with the security guarantees in the contract”. The implication is that providing such a response could reduce the amount of a monetary penalty or result in no penalty being imposed.

It also appears from a recent undertaking that data processors may not always be able to escape the scrutiny of the public eye. In the undertaking of Verity Trustees Ltd, Northgate Arinso, the suppliers of the Trustees’ computerised pensions administration system were specifically referenced, as the theft of a laptop containing personal and financial details of 110,000 individuals occurred from Northgate’s locked server room[3]. Although Verity Trustees have subsequently taken action to put in place data security obligations with their suppliers (which, incidentally, the undertaking requires them to do within 6 months of the date of the undertaking), the negative publicity caused by such naming and shaming and the threat to business may provide data processors with an incentive to put in place or re-examine their own security procedures and processes in any event.

Closing thoughts

The ICO has stated in the Guidance that “the purpose of a monetary penalty notice is not to impose undue financial hardship on an otherwise responsible data controller” and so the powers will not be used to cripple businesses. However, the ICO has not sought and obtained these powers without an intention to use them. With that backdrop all data controllers are recommended to review their DPA compliance. Being the first recipient of a fine from the ICO under the new powers is a move that all data controllers should seek to avoid.

Calum Murray

[1]http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/ico_guidance_monetary_penalties.pdf

[2]The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010(SI 2010/31): http://www.opsi.gov.uk/si/si2010/uksi_20100031_en_1 and The Data Protection (Monetary Penalties) Order 2010 (draft):http://www.opsi.gov.uk/si/si2010/draft/ukdsi_9780111490723_en_1

[3]http://www.ico.gov.uk/upload/documents/library/data_protection/notices/verity_trustees_pensions_trust_undertaking.pdf