For data breaches or contraventions of the United Kingdom’s Data Protection Act (DPA) occurring on or after April 6, 2010, the Information Commissioner’s Office (ICO) now has the authority to impose monetary fines against data controllers in the public, private and voluntary sectors, of up to half a million pounds. The Commissioner must first determine:

• there has been a serious contravention of section 4(4) of the DPA by the data controller; and
• the contravention was of a kind likely to cause substantial damage or substantial distress; and
• either the contravention was deliberate; or
• the data controller knew, or ought to have known, that there was a substantial risk that the contravention would occur, that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the contravention.

Data controllers are expected to apply the familiar standard of care of a “reasonably prudent” data controller. This requires taking reasonable security steps, including: carrying out risk assessments of data processing activities and providing evidence of steps taken to address the risks in handling personal data, demonstrating the presence of good governance and/or internal auditing arrangements, and adopting appropriate policies, procedures, processes, and practices, such as encryption of all laptops and removable media. Serious contraventions include failures to take adequate security measures which result in losses of personal data. Sufficient substantial damage or distress includes any financially quantifiable loss suffered by an individual (including loss of earnings, lost financial opportunity and risk of identity theft) and any injury to feelings, harm, or anxiety suffered by an individual.

U.S. data providers should be cognizant of how broadly “substantial damage” can be interpreted. As with most data security enforcement, the moral seems to be to focus on establishing good procedures in the first instance.

For ICO’s published guidance about the penalties, click here.

This entry was posted on Thursday, July 22nd, 2010 at 9:53 am by Crystal Lyons and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.