ICO Issues First Monetary Penalties for Serious Data Breaches

These are the first substantial fines imposed by the ICO, following the introduction of the new monetary penalties in April this year and the cases will attract huge attention as a result. The ICO has the power to award fines of up to £500,000 for serious breaches of the Data Protection Act, but until now, no major fines have been levied and it has been difficult to give real examples of the likely amounts for serious breaches.

The ICO has issued guidance on the new monetary penalties regime, which includes further details of the Commissioner’s approach to these cases of serious data protection breach. The decision making process followed by the Commissioner is set out in a flowchart within the guidance, as follows:

The Commissioner has to be satisfied that –

1. There has been a serious contravention of section 4(4) of the Data Protection Act by the data controller; and

2. The contravention was of a kind likely to cause substantial damage or substantial distress; and either,

3. The contravention was deliberate; or,

4. The data controller knew or ought to have known that there was a risk that the contravention would occur, and that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the contravention.

Once satisfied, the Commissioner will consider the level of fine to impose. The cases contained within the new press release may not be at the upper end of the scale, but they are not insignificant and should be noted by data controllers.

Authored by HL Chronicle of Data Protection Team.