Download presentation
Presentation is loading. Please wait.
Published byGerald Lucas Modified over 5 years ago
1
DATA PROTECTION: LEGAL CONSEQUENCES OF A FAILURE TO COMPLY
Emma Gilpin, Brodies LLP 4 March 2010
2
Introduction Have heard about what required to do in order to comply – but what happens if there is a failure to follow those requirements? HMRC breach and other high profile examples of failure to comply – brought into focus the consequences
3
Consequences of failure to comply
Reputational Commercial Operational Political Legal
4
Legal consequences of failure
An overview of the legal consequences of the failure to comply with the DPA ICO powers To carry out an investigation Enforcement Notices Enhanced power to carry out an audit and issue Assessment Notices New power to fine Other potential consequences in terms of the DPA Section 10 notices Claims for compensation under section 13 Section 55 offences
5
Legal consequences of failure
Other potential challenges by aggrieved parties Actions for breach of contract Actions for breach of confidence Interdict to prevent processing Sector specific consequences Some pointers for managing a failure to comply
6
ICO powers ICO has the power to carry out an investigation into a potential breach If found in breach, the ICO may: Require the Data Controller to sign an undertaking Issue an Enforcement Notice From 6 April 2010, issue a fine to a Data Controller
7
ICO powers Investigation by Information Commissioner’s office
ICO may carry out an investigation into an alleged failure If the failure is brought to their attention – issues around notification Notification of breach No express duty in DPA to notify either ICO or any data subjects affected of failure to comply However, ICO guidance provides that notification should be made of any “serious breach” Key consideration of whether a breach is ‘serious’ is the extent of which harm is likely to arise from it
8
ICO powers Undertakings
Where there is “significant actual or potential harm” as a result of the breach, because of the volume or nature (sensitivity) of the data (or both) – the ICO should be notified NB – implications of notification in light of new powers to fine May be other non-DPA requirements to notify e.g. contractual obligations, regulatory requirements, duty to tell insurers Undertakings The ICO may require Data Controllers to enter into formal undertakings
9
ICO powers Enforcement Notices
May serve Enforcement Notices where the ICO is ‘satisfied that a Data Controller has contravened or is contravening any of the data protection principles’ May require the Data Controller to take steps or to refrain from taking steps specified and/or to refrain from processing personal data Usually where the Data Controller is failing to cooperate with the ICO Failure to comply with notice is a criminal offence ICO may serve Enforcement notices in respect of the same breach as a monetary penalty notice
10
ICO powers Monetary Penalty Notices From 6 April 2010
Section 144 of the Criminal Justice and Immigration Act 2008 introduced new provisions into the DPA (sections 55A to E) Section 55A gives the Information Commissioner the power to impose civil monetary penalty notices for breaches of the DPA Applies throughout UK No retrospective effect – only applies to breaches that occur from 6 April onwards
11
ICO powers Information commissioner may serve a monetary penalty notice on a Data Controller if satisfied that: There has been a serious breach of section 4(4) by the Data Controller Which was of a kind likely to cause substantial damage or distress; and Which was either deliberate or reckless Section 55(3) provides definition of ‘reckless’ ICO guidance issued
12
ICO powers Key points from ICO guidance
Whether a breach is serious will be determined objectively, in line with the “reasonable expectations of individuals and society” Damage is “any financially quantifiable loss” Distress is “any injury to feelings, harm or anxiety” ICO will only use fine if ‘appropriate’ to do so Amount of fine Maximum penalty is (currently) £500,000 Compare this to the FSA financial penalties HSBC fined £3,000,000 for failing to have adequate systems and controls in place to protect customers’ information FSA guidance revised – due to be issued on 6/3/2010 Very difficult to know how the ICO will determine the amount in practice – will have to wait and see
13
ICO powers Powers to carry out audit
ICO currently has power to carry out audit with consent of the Data Controller (an assessment under s51(7)) and to issue an assessment notice Will carry out a general audit of compliance and issue an Assessment Notice informing the Data Controller of the results Implications of having such an assessment carried out: ICO guidance on Monetary Penalty Notices indicates that no Monetary Penalties will be imposed for breaches discovered during a s51(7) From 6 April 2010 the ICO’s powers of assessment will be enhanced
14
ICO powers Enhanced powers of audit
Coroners and Justice Act 2009 introduced new sections to the DPA (sections 41A-C) Gives the ICO increased powers to carry out audits by serving Assessment Notices Significance? No consent required and more detailed than general audit powers What is an Assessment Notice? A notice requiring a Data Controller to do all or any of the things listed in s41A(3) including: To permit the ICO to enter specified premises, observe processing of data and to inspect documents, information and equipment To make available for interview individuals carrying out processing
15
ICO powers Which data controllers are ‘on the hook’ for these enhanced audit powers? “government departments” – includes any part of the Scottish Administration and any body exercising functions on behalf of the Crown Scope for designation “public authorities” by ministerial order Not done this yet No requirement to consult Applies to bodies that are subject to FOISA (particularly interesting given the proposed extension of FOISA – could bring private sector organisations within the scope of this)
16
ICO powers Scope for designation of any ‘person’
Only on recommendation of the ICO Would be a requirement to consult May consider bringing in private sector organisations that regularly deal with particularly sensitive data or with which there have been particular problems Information Commissioner has indicated that he will actively push for the extension of this power to others – therefore likely to happen
17
ICO powers Draft code of Practice in relation to assessment notices
Consultation on code closes 24 March Draft code indicates: notices will be served where risks are identified and the Data Controller is ‘unwilling to engage voluntarily’ May be used to check compliance with formal undertaking or enforcement notice Not entirely clear whether breaches discovered through this audit will attract a fine – guidance unclear
18
Other legal consequences under the DPA
Section 10 notices Is power in terms of section 10 of the DPA for a data subject to write to the data controller to require them to cease or not to begin processing of their personal data The grounds upon which they can issue such a notice are: That the processing of the data is causing (or likely to cause) substantial distress or substantial damage to him or another; and The damage or distress would be unwarranted This doesn’t apply where the first to fourth conditions of schedule 2 of the DPA are met (consent; necessary processing etc)
19
Other legal consequences under the DPA
On receiving such a notice, the data controller must within 21 days, give the individual a written notice stating that it will comply with the notice from the data subject; or giving reasons why the data subject’s notice is unjustified and to what extent it intends to comply with it If the latter is provided to the data subject then it is open to him/her to apply to the courts to ask them to make an order asking the data controller to take steps to comply. Not a well known or used provision
20
Other legal consequences under the DPA
Claim for compensation by those affected – s13 DPA Section 13: “An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this act is entitled to compensation from the data controller for that damage” Also a right to compensation from data controller if suffer distress BUT – only if also either: suffer damage; or the data was processed for a ‘special purpose’ Defence to prove that data controller taken such care as in all the circumstances was reasonably required Would enforce by bringing proceedings for breach of statutory duty
21
Other legal consequences under the DPA
Section 55 offences Section 55 makes it an offence knowingly or recklessly to obtain or disclose personal data without data controller's consent About misuse of personal data – typically where member of staff accesses and discloses or uses personal data without authorisation; or where a person fraudulently gets the data controller’s consent Criminal Justice and Immigration Act 2008 (section 77) gave the Government the power to introduce custodial sentences for section 55 offences, by Ministerial order
22
Other legal consequences under the DPA
MoJ consulted on exercise of this power at end of last year Its formal follow up to consultation responses is still awaited Consultation document proposed maximum custodial sentences of twelve months on summary conviction and two years on indictment Original aim was also to bring these changes into effect in April, but that doesn’t look likely now
23
Other potential legal consequences
Action for breach of contract May be specific contractual provisions requiring compliance Could be an action for damages for breach Action for breach of confidence May be argued that an organisation owes a duty of confidentiality to someone in respect of a their personal data Common law action for breach of confidence Interdict If court proceedings raised – may seek to interdict the disclosure or other processing of data
24
Other potential legal consequences
Sector specific regulation May be regulatory restrictions that relate to the processing of data e.g. FSA Failure to comply may result in e.g. fines being imposed; withdrawal of qualification or removal of regulatory permissions May also be requirements to notify of breach
25
Managing a failure to comply
Some pointers for managing a failure to comply Should have a breach management strategy in place The ICO has identified four elements of any breach management strategy: Containment and recovery Assessment of ongoing risk Notification of breach Evaluation and response
26
Managing a failure to comply
Containment: Decide who is in charge of dealing with breach and its consequences Identify who needs to be made aware and who needs to do what in relation to containing it Identify the immediate priorities e.g. disable a mobile number; wipe a hard drive; change a door entry code Important that internal systems efficient enough to allow this Assessment Look at the risks arising form the breach Focus on the Nature of the breach and the individuals concerned Consider what harm could arise from the breach or use of the information Assess what can be learned form the circumstances of the breach
27
Managing a failure to comply
Notification Requirements of notification Assess on a case specific basis If individuals to be informed – do so in an appropriate manner, tell them what you have done to contain the breach and give advice on what they can do to further protect themselves Read the ICO’s guidance notes Recovery Work out what you can do to recover from the incident e.g. restoring lost/corrupted data; retrieving, repairing lost or damaged equipment or papers
28
Managing a failure to comply
Evaluation and response Investigate the cause of the breach Consider what is required to prevent the breach happening again Document the breach and learn from it! ICO good practice note on security of personal information
29
Data Protection: Legal consequences
of a failure to comply Emma Gilpin 4 March 2010
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.