Barely a week goes by these days without headlines reporting the latest breach of data security by one organisation or another. These can affect public authorities, charities, companies – whether well known or not.

For all organisations, data security has become a hot topic.  As more and more personal data is held in electronic form, so the need to protect that data from unauthorised disclosure or theft becomes increasingly important.  At the same time, the risks to the integrity of such data from deliberate hacking through to simple carelessness by an individual are perhaps higher than ever.

Quite apart from the immediate consequences – personal and commercial – that can flow from a data leak, the wider reputational damage that can be done to an organisation can be incalculable.  Moreover, as if all that wasn't enough, there are some increasingly unpleasant legal consequences to think about – both under current data protection legislation and possibly worse, under new legislation currently under consideration by the EU.

The protection of data from wrongful disclosure: legal duties on data controllers

Pending forthcoming reform, the law in the UK continues to be governed by the Data Protection Act 1998 ("the DPA"). 

Under section 4(4) of the DPA there is a legal obligation on data controllers to comply with the data protection principles set out in the DPA. 

These include the specific obligation on data controllers to have appropriate technical and organisational measures in place against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.  The DPA also says that, subject to technological development and cost, the level of security must be appropriate to the harm that might arise from unlawful processing or loss or damage, and the nature of the data itself.

As well as imposing these specific legal obligations on data controllers to take the appropriate measures to protect the data they hold, the DPA also contains enforcement machinery which can be used against data controllers who fail to do so.

Under section 55A of the DPA, provision is made for the Information Commissioner's Office ("ICO") to impose a monetary penalty on data controllers who breach their obligations.  These are in addition to the ICO's powers to issue Enforcement Notices requiring data controllers to do or refrain from doing things in relation to the processing of data.  The current maximum monetary penalty that can be imposed by the ICO is £500,000.   

How are monetary penalties assessed?

With only a few exceptions, monetary penalties can be imposed on any data controller (but not on a data processor who is processing data on behalf of a data controller).

The ICO must approach the decision to impose a monetary penalty in the following stages:

  1. Is there a serious contravention of s4(4) of the DPA?
  2. Is it likely to cause substantial damage or distress?
  3. If so, was the contravention deliberate?
  4. If not deliberate, the did the data controller know or ought to have knownthat there was a risk that the contravention would occur, and that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable stepsto prevent the contravention.

Once a decision has been made to impose a monetary penalty, the ICO will have to determine the amount.  In doing so, he will, according to his guidance, take account of a variety of factors including the nature of the contravention, its extent, how the party behaved and the impact of the penalty on the data controller.

Once the decision has been made to impose a monetary penalty and the amount has been determined, the ICO will issue a notice to the person affected.  This will contain the prescribed information relating to the penalty and the reasons for imposing it and the data controller will have a period of not less than 21 days within which to respond to the notice and put their case against it.

After those representations have been considered, if the ICO is still minded to proceed, he will issue the notice specifying what the penalty is to be.  A 20% discount is usually offered for prompt payment within 28 days.

There is a right of appeal against a monetary penalty by application to a First Tier Tribunal.

At all times, the process of assessing whether or not a monetary penalty is merited in a particular case is decided on the balance of probabilities (i.e. the civil standard of proof).  Where there is an appeal to a Tribunal against a decision of the ICO to impose a monetary penalty, the appeal is a full review of the merits.

Self-reporting – is it worth it?

Among the decisions faced by any organisation which discovers it has been the victim of a data breach or theft is the question of whether or not to report that breach - firstly to anyone affected by it and secondly to any relevant regulator such as the ICO.

For data controllers other than "service providers"  (e.g. ISPs) there is no mandatory obligation to report breaches to the ICO and no fixed penalty for not doing so.  Each case will have to be looked at on its own facts.  So while one reaction to a data breach may be to try and contain it and to keep it hushed up if possible – for reputational reasons and to avoid the possibility of a monetary penalty, it should be noted that reporting it to the ICO is one of the factors that can be taken into account when assessing the size of the monetary penalty to be imposed if it is discovered by the ICO.

In all cases, the question of whether or not the party "self-reported" is referred to as one of the "behavioural" factors considered by the ICO.  In some cases, a long delay in reporting the breach came in for criticism, whereas in another case there was no self-reporting at all.  But it is difficult to see exactly what effect this element alone has made on the size of the penalties meted out.  There surely needs to be more clarity on this point to incentivise self-reporting.  This may be addressed in the proposed new EU Regulation which is likely to make self-reporting compulsory.

Further, one of the downsides of the ICO becoming involved and issuing a penalty is that decisions on monetary penalty notices are then published on the ICO website (albeit with certain confidential information redacted).  So this can lead to unwelcome publicity and an embarrassing web page staying up and being readable for a long time.

In the aftermath of any serious data breach, consideration will have to be given to informing those people whose personal data may have been compromised.  But this is not an end in itself.  There must be a purpose behind notifying them.  For example, if someone's log on password or credit card details are compromised, they need to be informed so they can cancel the card and change their password.  But in other cases there may be no point in telling someone a particular piece of information about them has been leaked.

Similarly, it may not be necessary to report the breach to the ICO.  For example, if it is not a serious breach.   Advice should be sought and a judgment made in the light of the particular circumstances.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.