The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010, SI 2010/31, and the Draft Data Protection (Monetary Penalties) Order 2010, create a framework for the Information Commissioner to serve a monetary penalty notice on a data controller if he is satisfied there has been both a serious contravention by the data controller of the data protection principles and that the contravention was of a kind likely to cause substantial damage or distress. Such contraventions must be either deliberate or something which the data controller knew would occur (or ought to have known) and of a kind likely to cause substantial damage or substantial distress, but in respect of which he failed to take reasonable steps to prevent.
The Regulations prescribe the maximum amount of a monetary penalty. They also set out the minimum details to be contained in a notice of intent, and in a monetary penalty notice.
The Order sets out procedural details of the issue of a monetary penalty notice following a notice of intent. It also contains details of when enforcement action can be taken, and the power to cancel or vary a monetary penalty notice issued by the Information Commissioner, as well as details of appeal rights of data controllers.