09 April 2010

Art and cultural assets news - spring: penalties and prison — data protection just got serious…

Emma Flower
Senior associate | UK

New laws see the introduction of a fi ne of up to £500,000 for data protection breaches, and the possibility of up to two years in prison.

Monetary fines

From 6 April 2010, the Information Commissioner will have the power to fi ne organizations up to £500,000 for any serious breach of the Data Protection Act 1998. The new powers are the result of a recent consultation by the Ministry of Justice,which bowed to the Information Commissioner's desire for meaningful penalties that would give him similar powers to those enjoyed by many of his European counterparts.

For such a fine to be levied, there has to have been a serious breach of data protection likely to cause damage or distress; the breach must have been either deliberate or negligent; and the organization must have failed to take reasonable steps to prevent it.

With over 700 data breaches reported in the UK in the last two years, it seems all too easy to fall foul of the rules. The misuse of even small amounts of personal data can be considered to have serious consequences, and as the Justice Minister, Michael Wills, put it – penalties of up to £500,000 ‘will ensure the Information Commissioner is able to impose robust sanctions on those who commit serious contraventions of the data protection principles'

However Christopher Graham, the UK's Information Commissioner, has emphasized that in deciding the fine to levy, he would take into account the organization's size, financial resources, the severity of the breach and the industry sector (for example, whether the data controller is a voluntary organization). He has pointed out that, ‘the purpose of the fi ne is not to impose undue financial hardship on an otherwise responsible data controller'.

Custodial sentencing

A second consultation on the introduction of custodial sentences for those found guilty of knowingly or recklessly obtaining, disclosing, selling or procuring the disclosure of personal data without the consent of the data controller has just closed. It is proposed that prison sentences should be set at the maximum available under statute, of 12 months on summary conviction, and up to two years on indictment. The Ministry of Justice's reaction to the consultation is expected in early 2010.

A new dawn for data protection

Data protection has always been a difficult area for organizations holding personal data. There is a delicate balancing act between, on the one hand, ensuring that personal information is protected and, on the other hand, enabling a practical and sensible use of that information. The consequences of getting it wrong have just got serious, and data controllers should review their policies and procedures to ensure they are not the fi rst to be caught out by the new laws.

Emma Flower Senior associate | London

Category: Article

Focus areas