In the year to 31 March 2004, the Information Commissioner’s Office, the UK data protection authority, successfully prosecuted 8 individuals for a total of 45 offences under the Data Protection Act 1998. Fines ranged from £150, plus costs of £100, to a fine of £10,000 plus £5,000 costs.
The Information Commissioner’s Annual Report, published on 13 July, also notes that the Office handled 11,664 enquiries and complaints. Of these, the Office
gave advice in 5,690 cases
reached an assessment (a formal procedure) in favour of the complainant in 1,588 cases
reached an assessment in favour of the data controller in 1,469 cases.
The remaining cases are either ones where the Office did not complete the assessment within the year, or where the Office declined to take the matter on (or did not make an assessment of compliance for some other reason).
These figures show that, whilst the Information Commissioner in the UK has a reputation for being an approachable and pragmatic regulator, his Office is still extremely active in enforcing the Act. This Article sets out the consequences of non-compliance with the Act –
the Commissioner’s powers to bring criminal prosecutions,
his powers to issue enforcement and information notices and to enter premises, to search and seize materials and
individuals rights to take matters into their own hands in the courts.
Offences by the data controller, its officers and managers
In a number of cases, an organisation’s failure to comply with the Act will mean that it commits a criminal offence. In most cases, any criminal liability will be incurred by the data controller i.e. the limited company or other legal entity that controls the use of personal data. However, in some circumstances, members of the data controller’s management may find themselves personally liable for the commission of an offence. Section 61 (1) of the Act provides that:
“Where an offence under this Act has been committed by a body corporate and is proved to have been committed with the consent or connivance or to be attributable to any neglect on the part of any director, manager, secretary or similar officer of the body corporate or any person who is purporting to act in any such capacity, he as well as the body corporate shall be guilty of that offence and shall be liable to be proceeded against and punished accordingly”
The intent behind this section is that where an offence has been committed under the Act by a limited company, but is actually attributable to the instructions of, or negligence of, its management, that the relevant manager should be able to be pursued personally. Section 61 focuses specifically on company directors and the company secretary who have statutory obligations in relation to a limited company. However, it could also cover other individuals who have management powers.
The Act provides for criminal sanctions in relation to the following areas:
(a) notification (i.e. registration) related offences;
(b) offences relating to unauthorised obtaining or disclosure of personal data;
(c) offences relating to abuse of individuals’ subject access rights; and
(d) offences of interfering with the exercise of the Commissioner’s powers.
A data controller is obliged to notify (that is, to register) the fact that it is processing personal data with the Office of the Information Commissioner. There are now a large number of exemptions from this need to notify. However, by virtue of s 17 (1) and 21 (1) of the Act it is an offence for a data controller who is not exempt to process personal data without having completed the notification process. This offence is a matter of strict liability – i.e. an absence of any intention is no defence.
Notification regulations made under the Act also oblige data controllers to keep the notification up to date and Section 21 (2) of the Act makes it an offence to breach this updating obligation. In this case, however, it is a defence for a person who has been charged with the offence to show that he exercised all due diligence to comply.
There is also an esoteric offence relating to failure to provide details of processing exempt from notification when requested.
Historically, most enforcement activity in the UK focused on non-registration offences. This was largely because under the predecessor to the Act, the Data Protection Act 1984, the obligation to comply with the data protection principles only fell on persons who were registered with the Data Protection Registrar. Accordingly, if an individual complained to the Data Protection Registrar about a breach of the 1984 Act, the Registrar first had to check whether the relevant organisation had registered. If the organisation had not registered, then, no matter how serious the breach, the most the Registrar could do was to issue proceedings for non-registration.
This link between registration and more substantive compliance has now been broken. The obligation to comply with data protection principles applies to all data controllers, not merely those who have notified with the Office of the Information Commissioner. This has freed the Commissioner to spend more time on more substantive offences.
Unlawful obtaining or disclosure of personal data
Section 55 of the Act makes it an offence to obtain or disclose personal data without the consent of the relevant data controller. The most obvious application of this section is to enquiry agents who obtain information about particular individuals by deception; for example, by purporting to be the individual concerned. This is by far the most serious offence under the Act and all of the prosecutions mentioned at the beginning of this Article were under s55.
Unlike the non-registration offence, this is not a strict liability offence. An individual only commits this offence if he obtains or discloses personal data knowing that, or being reckless as to whether or not, a data controller has consented to this.
There are a number of defences to s 55 – these cover disclosures in the public interest, for the prevention or detection of crime, or acts where the individual reasonably believes that he had, or would have had, the consent of the data controller to obtain or disclose the information. In addition to these specific defences, there is a general exemption for information which is exempt under the provisions of the Act relating to national security (at s 28).
Although the provisions are of most obvious application to enquiry agents, this is not their only application. Section 55 could also, for example, cover disclosures of personal data made by staff in banking or insurance call centres in breach of their employers' policy on disclosures.
Subject-access related offences
A practice grew up under the 1984 Act, whereby employers would ask prospective employees to use their subject-access rights to obtain a copy of their police record. Provision of this police record would then be a condition of the employer considering the individual’s application. The Data Protection Registrar (the predecessor to the Information Commissioner) called this “enforced subject access” and considered it to be objectionable, as the police records obtained revealed details of cautions and spent convictions, as well as “current” convictions, thereby undermining the principle of rehabilitation.
The 1998 Act will, eventually, criminalise this practice. Section 56 applies to specified criminal and related records and will make it an offence for a person to require the supply of these records in connection with the recruitment or continued employment of an individual or the supply of services by that individual.
The introduction of an offence of enforced subject access goes hand in hand with the introduction of the Criminal Records Bureau, which, when fully operational, will establish formal procedures whereby "basic" criminal record certificates will be issued to the individual to whom the record relates and fuller certificates will be issued to appropriate organisations in relation to certain categories of people (for example those working with children). S 56 cannot be brought into force until those provisions of Part V of the Police Act 1997 that set up the Criminal Records Bureau are fully in force. There is, as yet, no timetable for this to take place.
Offences relating to the Commissioner’s powers
Failure to co-operate with the Information Commissioner in the exercise of his powers, almost invariably, amounts to the commission of a criminal offence.
So, a failure to comply with an enforcement notice, an information notice or a “special” information notice is an offence under s 47. Where the Information Commissioner has served an information notice or a special information notice it is then, by virtue of s 47 (2), an offence for anyone knowingly or recklessly to make a statement to the Information Commissioner which is false in a material respect.
Finally, under Schedule 9, paragraph 12, it is an offence intentionally to obstruct the Commissioner’s staff when they are exercising search and seize warrants. It is also an offence to fail to give the Commissioner’s staff reasonable assistance when they exercise their powers under such a warrant.
Legal actions by the Information Commissioner
Under ss 40 and 41, the Commissioner may serve an enforcement notice on a data controller if the Commissioner is satisfied that the data controller has contravened or is contravening any of the data protection principles. This notice may require the data controller to take, or refrain from taking, certain steps. Alternatively, the notice may require the data controller to stop processing personal data. The notice is, therefore, like an injunction and could have a substantial impact on a business.
Failure to comply with an enforcement notice is an offence.
By s 42, the Commissioner is obliged to make an assessment of any processing of personal data in respect of which a complaint (euphemistically called a request for assessment) is made to the Commissioner. The assessment is to determine whether it is likely or unlikely that the processing in question has been or is being carried out in compliance with the provisions of the Act.
The Act suggests that when the Commissioner considers whether or not to pursue a request for assessment, he may have regard to:
whether the request appears to raise a matter of substance;
whether there has been any undue delay in making the request – which the Commissioner interprets as imposing a 12 month cut-off, from the later of the relevant processing or the individual’s contact with the data controller or any other regulator or ombudsman); and
whether or not the person is entitled to make a subject access request in respect of the information.
In May 2000, the previous Commissioner issued a Policy on Handling Assessments. The Policy suggests that all requests will receive initial consideration. However, given the limited resources available to the Commissioner, the Policy makes clear that individuals will be encouraged to help themselves as far as possible. The Commissioner will also consider whether the substance of the dispute is fundamentally about data protection, whether the matter could better be dealt with by another body and whether investigation by the Commissioner is likely to take up resources which are disproportionate to the issues raised.
In support of the Commissioner's enforcement powers, the Act (ss 43 and 44) gives the Commissioner power to serve an information notice requiring the data controller to provide information specified in the notice. The Commissioner cannot compel data controllers to produce information that would reveal evidence of the commission of offences other than offences under the Act.
In the case of both enforcement notices and information notices there are urgency procedures and there is a right of appeal to the Information Tribunal. There are also separate procedures that apply where the Commissioner wants to issue notices to the press, or in respect of other processing for journalistic, literary or artistic purposes.
Powers of Entry and Inspection
Finally, the Commissioner has powers of entry and inspection on warrant issued by a circuit judge (s 50 and Sched 9). In 2000-2001, for example, the Commissioner obtained 9 search warrants.
The Commissioner’s approach to enforcement
Although the Information Commissioner has the broad range of powers described above, in practice, the Commissioner’s preferred approach, where action is required, has been to discuss and negotiate with the data controller. Use of formal enforcement powers would normally only be considered where this fails, or where the data controller is clearly in breach of basic requirements of the Act, or where the circumstances are such that this approach would be inappropriate (for example, in the case of flagrant disregard for the Act, or extremely serious breaches).
The enforcement powers described above are also available to the Commissioner for breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003. However, here the Commissioner considers his powers to be inadequate. This is largely because an enforcement notice cannot come into effect until the end of any appeal. During this period, the offending organisation is free to carry on intrusive fax/e-mail/SMS marketing. In his response to the dti consultation the Commissioner asked for powers similar to those available to the OFT under the Stop Now Orders (EC Directive) Regulations 2001, which allow for much speedier action. Failure to comply with an order would be an offence and proceedings could be brought against the proprietors of organisations breaching the rules. The dti has committed to strengthening the Commissioner’s powers in this area although there is, as yet, no timetable for this.
Legal actions by individuals
In addition to facing criminal prosecution or enforcement proceedings by the Commissioner, a person who breaches the Act could also be at the receiving end of civil proceedings brought by individuals to enforce their rights:
The court is not obliged to enforce individuals' rights under the Act. Even where there has been a breach of the Act, a court may decline to enforce the Act.
S 13 of the Act also grants individuals rights to compensation. However, in most situations, an individual will only be entitled to compensation if, as a result of a data controller’s breach of the Act, he suffers damage. Only where an individual has suffered “damage” is he then also entitled to claim compensation for distress. If, however, a data controller has breached the provisions in the Act that relate to processing for, journalistic, literary or artistic purposes then an individual is entitled to compensation for distress without needing to prove any damage.
There is a defence to any claim for compensation where a data controller can show that he took such care as, in all the circumstances, was reasonably required to comply with the relevant provision of the Act.
As, in most cases, individuals can seek compensation only where they have suffered “damage” it is important to understand what is meant by this word. The Data Protection Registrar issued guidance under the 1984 Act on the meaning of “damage”. This was included in the Registrar’s guidance paper, Guideline 5: Individual Rights. Here the Registrar took the view that damage would include “financial loss or physical injury” but would not include “distress suffered by the individual”. In many cases where there has been a breach of the Act, the likely impact on the individual may, indeed, be distress as opposed to financial loss or physical injury.
Although the requirement to prove damage is useful for data controllers, organisations should note that the UK approach to the meaning of damage is controversial. The Data Protection Directive requires Member States to grant individuals rights to claim compensation for “damage” and the European Commission’s Article 29 Working Party on data protection has stated that, in its view, the term damage includes “not only physical damage and financial loss, but also any psychological or moral harm caused (known as “distress”).
As regards the level of compensation, there have only been two reported cases in which compensation has been awarded. In the Naomi Campbell case (LTL 7/5/2004: (2004) ECLR 1232: (2004) AllER 995: (2004) EMLR 15: times, May 7, 2004: Independent, May 11 2004), damages of £3,500 were awarded at first instance on a combined basis in relation to breach of confidence and breach of the Act. In the case of Michael Douglas and Catherine Zeta-Jones (Douglas v Hello! Ltd) (LTL 101/11/2003: (2004) EMLR2) the Douglases were awarded a mere £50 each for breach of the Act, although more substantial damages were awarded on other grounds.
The practice of the Information Commissioner’s Office in the UK is, normally, to try and ensure compliance by co-operation, rather than through the use of formal enforcement powers. However, with the exception of enforcement under the PEC Regulations, the Information Commissioner is able to back up his “persuasive” approach with a range of powers which could cause substantial business disruption; the consequences of non-compliance with UK data protection law should not, therefore, be underestimated.
This article contains material first published by Sweet & Maxwell Limited in Richard Morgan & Ruth Boardman’s Data Protection Strategy (2003) and is reproduced by agreement with Sweet & Maxwell.