Partner Debbie Brett, in our Corporate & Commercial team, discusses unlimited fines for data protection offences.
The Legal Aid, Sentencing and Punishment of Offenders Act 2012 (Fines on Summary Conviction) Regulations 2015 came into force on 12 March 2015. The Regulations authorise the Magistrates’ Court to impose unlimited fines for criminal offences under the Data Protection Act 1998 (DPA).
What constitutes a criminal offence under the DPA?
If an individual obtains or discloses personal data without the consent of the data controller, a criminal offence will be committed under section 55 of the DPA, and as a result of the new legislation, fines of an unlimited amount can be imposed at sentencing. A data controller is a person who, either alone or jointly or in common with other persons, determines the purposes for which and the manner in which any personal data are, or are to be, processed.
What’s changed?
Up until 12 March 2015, there were set fine levels which were controlled by different statutory levels ranging from £200 up to £5,000. This has now changed, and the cap of £5,000 has been removed, Magistrates may now impose increased fines where they see fit.
There are now concerns for companies surrounding the uncertainty of the new rules, as previously, companies have been able to predict what their ‘worst case scenario’ would be if they were to commit a breach. Therefore, companies who have taken a calculated risk on the basis of the low penalty will need to re-assess their risk control and management systems.
The Information Commissioner’s Office (ICO), an independent authority established to uphold information rights in the public interest, has welcomed the removal of the cap after many years lobbying for more effective sentences, and it advocates custodial sentences for the most serious ‘blagging’ breaches committed by those selling personal data to investigators or journalists.
However, the ICO has stated that data processing managers need not be too alarmed by the removal of the cap. Where an error of judgement has been made when sharing data for legitimate reasons, or where data processing/protection managers may have been deceived into disclosing personal data, although they will be legally accountable, the ICO has commented that they are unlikely to be affected by the new rules, unless a criminal offence is committed.
Nevertheless, in view of the changes, the removal of the cap should encourage organisations to tighten up their data management systems.
For further information or legal advice, please contact law@blandy.co.uk or call 0118 951 6800.
This article is intended for the use of clients and other interested parties. The information contained in it is believed to be correct at the date of publication, but it is necessarily of a brief and general nature and should not be relied upon as a substitute for specific professional advice.
