What is the real risk of an ICO fine?
The ICO has made it clear in guidance: (http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/ico_guidance_monetary_penalties.pdf) that fines will only be used in the event of serious breaches which have the capacity to cause substantial damage and distress. Additionally, the breach needs to be deliberate or reckless to qualify.
Examples given in the guidance suggest that failure to take adequate security measures (use of encrypted files and devices, operational procedures, guidance etc.) resulting in the loss personal data would be regarded as “serious”. “Damage” would include individuals becoming victims of identity fraud following such a security breach involving financial data.
As an example of deliberate breach the guidance cites a marketing company collecting personal data in the course of a competition and subsequently disclosing it for commercial purposes without informing the individuals concerned.
Whilst the fines do not apply to breaches of the email regulations, it is likely that the provisions of the Data Protection Act 1998 would cover wrongdoings here – including the sending of bulk unsolicited messages or SPAM.
Only data controllers (rather than individuals or data processors) can be fined through MPN’s. Those who do receive a notice of intent to levy an MPN will have at least 21 days to respond by showing that they have taken “reasonable steps” (including risk assessment, instigating policies and procedures and auditing regularly) to comply. They can also appeal to the tribunals’ service if they believe that they are not in breach.
The Commissioner and his staff have been at pains to stress that they will only use fines as a last resort. The words “discretion” and “proportionality” have cropped up a lot in recent soundbites. Six weeks on from the implementation date, no fines have been levied so can we assume that these powers will genuinely only be used as the final deterrent?
Two things suggest that this might be wishful thinking: The first is that the general election meant that the ICO like most Government-run organisations went into virtual press black out or “purdah” during the campaign and has only recently emerged again into the light of day. The second is that the powers are not retrospective. This means that errant data controllers would have had to be guilty of a breach (and found out!) since 6th April.