All businesses that process personal data should be aware of their data protection obligations.
Under the Data Protection Act 1998 (DPA), if a business holds and processes information about its clients, employees or suppliers, it is legally obliged to protect such information.
Data Protection Issues
Under the DPA a business must only collect information that is required for a specific purpose. Data protections issues arise out of the eight general principles underlying the DPA which require that:
- It should be processed fairly and lawfully
- It should be processed only for lawful purposes
- It should be adequate and not excessive
- It should be accurate and kept up to date
- It should not be kept for longer than necessary for its purpose
- It should only be processed in accordance with the rights of the data subjects
- Appropriate organisational measures should be taken to protect the data against loss or damage
- Personal data should not be transferred outside the EEA unless there is adequate protection in the country of transfer
Penalties for Breach of the Data Protection Act
The Information Commissioner has a variety of enforcement options including enforcement notices, breach of which is a criminal offence, and fines. In the most serious cases, it can issue fines of up to £500,000; theses are likely to be imposed where:
- There has been a serious breach
- The breach is likely to cause substantial distress or damage
- The breach was deliberate or negligent - the business controlling the data ought to have known of the risk of breach, that such a breach would likely cause substantial damage and it failed to take reasonable steps to prevent it.
Recent Examples of Financial Penalties for Non-compliance
Recent high-profile examples of penalties being imposed by the information commissioner include those to various councils’ and other public bodies where sensitive personal data had been mislaid or carelessly sent to the wrong person. In 2012 for example, Brighton and Sussex University Hospitals NHS Trust received a penalty of £325,000 following a serious breach relating to highly sensitive personal data belonging to tens of thousands of patients and staff.
Although public bodies seem to attract most of the media attention for DPA breaches, it is important for businesses to know that private companies are just as vulnerable to financial penalties. In 2012, Welcome Financial Services Limited was fined £150,000 for losing two tapes which contained the personal data of customers after failing to take appropriate steps to prevent the loss and for unauthorised processing of the personal data. The tapes were also unencrypted which was contrary to the company’s policy.
It is clear from these examples that businesses should put in place effective data protection policies which are regularly reviewed to ensure compliance. Ultimately businesses should be mindful of the potential criminal and financial penalties available to the information commissioner.