Data protection: where are the fines?

Regular readers of this blog (thank you!) will know that we consider the Information Commissioner’s lack of enforcement and regulatory powers to be a serious deficiency in the UK’s data protection and privacy law.

To emphasise the point yet again, the Information Commissioner has published details of the enforcement notices issued against 14 construction companies arising out of the misuse of personal data collected and sold by Ian Kerr trading as the Consulting Association. There are some big names listed in the Information Commissioner’s press release. The enforcement notices demand that the construction companies stop using Ian Kerr personal data, and comply with certain obligations that they already had under the Data Protection Act 1998.

Despite these serious breaches, there are no fines or compensation orders, as the Information Commissioner does not have the power to award fines or make orders. Have the construction companies got away with their blatant breach of the Data Protection Act 1998? Perhaps, but at least the enforcement notices contain an interesting final warning. In setting out in the notices that the construction companies must comply with certain data protection obligations, the Information Commissioner has ensured that any further breach of these obligations would also be a breach of the relevant enforcement notice.

Breach of an enforcement notice is a criminal offence. In addition, where that offence “has been committed by a body corporate and is proved to have been committed with the consent or connivance of or to be attributable to any neglect on the part of any director, manager, secretary or similar officer of the body corporate or any person who was purporting to act in any such capacity, he as well as the body corporate shall be guilty of that offence and be liable to be proceeded against and punished accordingly” (section 61(1) of the Data Protection Act 1998).

The officers of the 14 construction companies subject to these Ian Kerr enforcement notices ought to bear this in mind.

To fine, or not to fine: that is the question

Compare and contrast the following recent data protection cases:

1.  HSBC: fined, after discount, over £3m by the FSA.

2.  Ian Kerr: prosecuted and fined £5,000.

3. Highland Council: asked to give undertaking to get its laptops encrypted.

The HSBC case highlights yet again the lack of enforcement powers given to the Information Commissioner under the Data Protection Act 1998.  It also highlights the lack of regulatory powers the ICO has to set data protection rules.  After all, HSBC was fined by the FSA for breach of FSA rules, not for breach of any legislation.

This is demonstrated in the Ian Kerr case.  Although this involved systematic and blatant breaches of the data protection principles, including in respect of the processing of sensitive personal data (trade union membership), the prosecution was for the offence of not being notified to the Information Commissioner.  However, a fine at the top of the scale was imposed by the court.

When no statutory offences have been committed, the Information Commissioner must fall back on the enforcement notice powers and the more recent innovation of getting data controllers to volunteer undertakings rather than be made the subject of an enforcement notice, as shown by Highland Council. 

The Highland Council case on the face of its facts may be argued to be a little harsh.  It concerned the theft of 2 password-protected laptops from a locked office.  The laptops had personal data for over 1,400 individuals, including sensitive personal data (medical information).  The key point, however, is that the laptops were unencrypted.  This is yet another reminder that no-one using unencrypted laptops for personal data should expect any leniency from the Information Commissioner if they go missing.

Snooping and vetting

At Charles Russell we have a generic data protection email address – feel free to drop us a question for a short, informal reply:
dataprotection@charlesrussell.co.uk.

So it’s a little ironic in the week of the Ian Kerr Enforcement Notice (concerning an unlawful personnel vetting service – see ICO press release here), our dataprotection email box is getting filled with spam containing this:

Spam Vetting Service

Needless to say, we won’t be using this service.