Monetary penalties: ICO publishes guidance; fines go live 6 April

Claire Walker

The ICO has confirmed that new powers to impose fines of up to £500,000 for serious breaches of the DPA will come into force on 6 April. And the Commissioner has said he will not hesitate to use them for the most serious cases. Responsible data controllers who follow good data protection practice should have nothing to fear, however. The Commissioner’s Office has published statutory guidance explaining how it will use its new powers, and how to stay out of trouble!
The new powers are to be found in the recently added section 55A of the DPA (introduced by section 144 of the Criminal Justice and Immigration Act 2008) and will apply to serious breaches of the Act which are likely to cause substantial damage or distress, and which are committed deliberately or recklessly.
As well as explaining the procedural aspects of the new sanction, the guidance includes a section on the circumstances in which the Commissioner would consider it appropriate to issue a monetary penalty notice (for example, in the topical context of security breaches). This incorporates practical illustrations of each of the key elements of the section 55A test. There is also guidance on the factors the ICO will take into account when determining the amount of the penalty.
For responsible data controllers, the guidance is in effect a handy checklist of all the good practice measures to have in place to avoid incurring a fine.
(Datonomy is pleased to see its earlier prediction (about the go live date for the fines) confirmed – although given that 6 April is one of the Government’s twice yearly “red tape” days, that bit wasn’t exactly rocket science!)

Leave a Reply

Your email address will not be published. Required fields are marked *