Earlier this week the Information Commissioner published revised guidance on how he will exercise his power to issue monetary penalties.
In addition to providing guidance on how the Commissioner will exercise his new power to fine under the Privacy and Electronic Communications (EC Directive) Regulations, the guidance also includes a number of examples on how and when the Commissioner might issue monetary penalties in relation to serious contravention of the Data Protection Act.
The Commissioner’s power to issue monetary penalties for serious contraventions of the DPA came into force in March 2010, and over the last 20 months or so the Commissioner has issued a number of monetary penalties – the highest being a £350,000 fine levied on Brighton and Sussex University Hospitals NHS Trust.
The Commissioner will issue fines in relation to serious contraventions that are likely to cause <substantial damage or substantial distress, and were either deliberate or where the data controller should have known that their was such a risk and did not take reasonable steps to prevent the contravention.
To assist data controllers with complying with their obligations, the new guidance contains examples in relation to each the terms highlighted above. For example, the Commissioner considers that the following will constitute a serious contraventions:
- failure to take adequate security measures (use of encrypted files and devices, operational procedures and guidance) that result in the loss of a CD containing personal data
- Systematic failings to record and respect objections to telemarketing
- Covertly monitoring someone’s location using mobile phone geolocation data
Given the Commissioner’s increasing use of his power to issue monetary penalties, then guidance is well worth reading.
On February 3, 2012