The Information Commissioner’s new powers to impose fines of up to £500,000 for serious breaches of the Data Protection Act 1998 (the Act) or of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (Privacy Regulations) have now been widely reported. So far this year the Information Commissioner has been consistent in issuing at least one Monetary Penalty Notice (MPN) per month with fines ranging in value from £60,000 to £325,000. However, for most businesses the circumstances which can lead to the issuing of an MPN remain something of a mystery.
This article aims to shed some light on the circumstances in which the Information Commissioner may exercise its powers to issue a MPN and to outline some key steps which businesses can take to minimise the chance of a MPN being issued against them.
The Criteria for Issuing an MPN
In order to issue a MPN the Information Commissioner must be satisfied that:
(i) the Data Controller has seriously contravened the Act or the Privacy Regulations; and
(ii) the contravention was likely to cause substantial damage or distress and either:
(a) the contravention was deliberate; or
(b) the Data Controller knew or ought to have known that there was a risk that the contravention would occur and that it would be likely to cause substantial damage or distress but still failed to take reasonable steps to prevent it from happening.
When deciding whether this test has been satisfied the Information Commissioner will apply the following rules:
A serious contravention can arise as the result of a one off breach of the Act or Privacy Regulations or following a series of breaches.
The term damage refers to financial loss suffered by an individual whilst the term distress covers injury to feelings or anxiety suffered by an individual as a result of the contravention. If the damage or distress caused was considerable in importance, value, degree, amount or extent it will be deemed as substantial.
A contravention will be deemed to be deliberate if any one of the following conditions is fulfilled:
•the contravention was premeditated •the person concerned was aware of and did not follow specific advice published by the Information Commissioner or others and relevant to the contravention •the contravention followed a series of similar contraventions by the same entity and no action had been taken to rectify the cause of the original contraventions. A Data Controller is considered to know or ought to have known that there was a risk that the contravention would occur if:
•the likelihood of the contravention should have been apparent to a reasonably prudent person •the person concerned had adopted a cavalier approach to compliance and failed to take reasonable steps to prevent the contravention •the person had failed to carry out any sort of risk assessment and there is no evidence, whether verbally or in writing, that the person had recognised the risks of handling personal data and taken reasonable steps to address them. Where the Information Commissioner believes that the conditions for issuing a MPN have been met, a number of factors will be considered in deciding the level that the MPN will be set at. These will include whether the contravention was a one off or part of a series of similar breaches, whether there was a deliberate lack of cooperation and what steps were taken once the Data Controller became aware of the breach.
A summary of the MPNs issued so far this year is set out below to illustrate how the Information Commissioner has applied these criteria in practice.
MPN’s Issued in 2012
October 2012: a MPN for £70,000 was issued to Norwood Ravenswood Limited following the loss of a package of highly sensitive information about the care of 4 young children that was left on the street outside a London home for collection by the occupant upon their return home. By the time the occupant returned home the package had already been removed and it has not yet been located.
September 2012: A MPN for £250,000 was issued to Scottish Borders Council after pension records relating to former employees were found in an overflowing paper recycle bank located in a supermarket car park.
August 2012: A MPN for £175,000 was issued to Torbay Care Trust following the publication of sensitive personal information about 1,373 employees on the Trust’s website.
July 2012: A MPN for £60,000 was issued to St George’s Healthcare NHS Trust after sensitive medical details concerning a vulnerable individual were sent to the wrong address.
July 2012: A MPN for £150,000 was issued to Belfast Health & Social Care Trust after the Trust failed to report an incident compromising sensitive personal data relating to thousands of patients and staff to the Information Commissioner.
June 2012: A MPN for £90,000 was issued to Telford & Wrekin Council following two breaches of the Act. A report containing confidential and sensitive personal data was sent to the sibling of the child concerned instead of its mother. Whilst this incident was being investigated a second incident was reported to the ICO concerning inappropriate disclosure of foster carer names and addresses to a child’s mother. Both children concerned had to be re-homed.
June 2012: A MPN for £325,000 was issued to Brighton & Sussex University Hospitals NHS Trust after hard drives sold on an internet auction site were found to contain highly sensitive personal data belonging to ten’s of thousands of patients and staff.
May 2012: A MPN for £90,000 was issued to Central London Community Healthcare NHS Trust after sensitive personal data was faxed to an incorrect number. The contravention was repeated on numerous occasions over a number of weeks and concerned personal data relating to 59 data subjects.
May 2012: A MPN for £70,000 was issued to London Borough of Barnet after a burglary at an employee’s home led to the loss of sensitive information relating to 15 vulnerable children.
April 2012: A MPN for £70,000 was issued to Aneurin Bevan Health Board after a sensitive report containing details relating to a patient’s health was sent to the wrong person.
March 2012: A MPN for £70,000 was issued to Lancashire Constabulary after the discovery of a missing person’s report containing sensitive information about a 15 year old girl.
February 2012: A MPN for £80,000 was issued to Cheshire East Council after an email containing sensitive personal information was inadvertently distributed to 180 unintended recipients.
February 2012: A MPN for £100,000 was issued to Croydon Council following the theft of a bag containing papers relating to the care of a child sex abuse victim from a London pub.
February 2012: a MPN for £80,000 was issued to a County Council after details of allegations regarding a parent and the welfare of their child were disclosed to the wrong recipient.
January 2012: A Monetary Penalty of £140,000 was issued to Midlothian Council after sensitive personal data relating to children and their carers were disclosed to the wrong recipients on 5 separate occasions.
Practical Steps to Avoid MPNs
The key to avoiding a situation arising which may result in a MPN being issued against you is to ensure that you have solid data protection practices in place and, crucially, that you have instilled a culture of data awareness and sensitivity throughout your organisation. The majority of the MPNs issued this year could have been avoided had the individuals concerned been trained to follow data handling procedures or to simply apply some everyday common sense when handling data. Some key steps for businesses to take to minimise the risk of an MPN being issued against then are:
•conduct a data protection risk assessment to identify the data risks within your business and the steps that can be taken to address these •put in place appropriate policies, practices and procedures to ensure that data is handled in accordance with the Act and the Privacy Regulations and specifically address any particular risk areas and review and update these regularly •ensure that everyone within your business has had appropriate data protection training for the role they carry out and knows what policies, practices and procedures you have in place, where these can be found and who within the organisation they should address any questions or concerns to •maintain a written record to evidence the compliance steps that you have taken •consider whether you need to implement any technological measures to ensure the security of your data such as the use of encryption •pay particular attention to data protection issues where personal data of large numbers of individuals or sensitive data is concerned •keep an eye on the Information Commissioner’s Office website (www.ico.gov.uk) and review material issued by any relevant regulatory or advisory bodies for new guidance or codes of practice that may be relevant to your business and ensure that you apply these •take immediate action to resolve any known issues such as problems with IT systems •if you become aware of any suspected data breach take legal advice and contact the Information Commissioner’s Office immediately If the Worst Should Happen…
If you find yourself facing a MPN following a data breach, it should not come as a shock when it eventually lands on your desk. By the time the MPN is issued you should already have been through a period of communication with the ICO regarding the breach and are likely to be well aware that a MPN is on the cards. However, even at the stage where the breach has already occurred there are steps that you can take to mitigate the risk to your business:
•be pro-active in reporting breaches, taking legal advice and instigating your data breach procedures at the earliest possible stage •take any action appropriate to mitigate the effect of the breach •co-operate with the Information Commissioner both in assisting with any investigation into the breach and in following any suggestions that they make for mitigation of damage •you will receive a Notice of Intent and have a chance to make representations on this before the MPN is issued – find a legal advisor who can help you make appropriate representations •you can appeal a MPN and should ask your legal advisor to assist you in identifying any grounds of appeal that you may have and, if appropriate, in following the appeals procedure
