When the new monetary penalties regime under sections 55A-E of the DPA comes fully into force, the Information Commissioner will have power to impose a civil penalty on a data controller for a serious contravention of any of the data protection principles if – in essence – the contravention is (1) deliberate or reckless and (2) of a kind likely to cause substantial damage or distress.
The Ministry of Justice is currently consulting on what the maximum penalty under section 55A should be. £500,000 is proposed. Whilst this is clearly not an insubstantial sum, it needs to be compared with the fact that many other regulators have power to impose a penalty of up to 10% of an organisation’s turnover. If the data controller at issue has a turnover that is significantly above £5m, and – for example – a serious contravention has caused damage or distress to a very large number of people, the maximum penalty of £500,000 may begin to look a little on the small side. Indeed, the Commissioner may not even be able to go that far: the ICO’s draft guidance on the monetary penalty powers indicates at paragraph 7.4 that swift payment of the penalty will lead to a 20% reduction. So a data controller that decides not to contest the penalty may end up only paying a maximum of £400,000.
One final point. The penalties are to be paid into the consolidated fund (section 55A(8)). Thus, where the data controller is a central government body, the imposition of any size of penalty will have a slightly unreal quality to it, as the sum involved will simply return to the financial pot from which the body in question drew its funding in the first place.