CIVIL MONETARY PENALTIES FOR SECURITY BREACHES OF PERSONAL DATA

The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010, SI 2010/31, and the Draft Data Protection (Monetary Penalties) Order 2010, create a framework for the Information Commissioner to serve a monetary penalty notice on a data controller if he is satisfied there has been both a serious contravention by the data controller of the data protection principles and that the contravention was of a kind likely to cause substantial damage or distress.   Such contraventions must be either deliberate or something which the data controller knew would occur (or ought to have known) and of a kind likely to cause substantial damage or substantial distress, but in respect of which he failed to take reasonable steps to prevent.   

 

The Regulations prescribe the maximum amount of a monetary penalty.  They also set out the minimum details to be contained in a notice of intent, and in a monetary penalty notice.

 

The Order sets out procedural details of the issue of a monetary penalty notice following a notice of intent.  It also contains details of when enforcement action can be taken, and the power to cancel or vary a monetary penalty notice issued by the Information Commissioner, as well as details of appeal rights of data controllers.