Data Protection Act fines within the last 3 years

The request was partially successful.

Dear Sir or Madam,

FOI Request

Could you please confirm the maximum penalty ( monetary ) that you could impose on a company or individual in relation to a serious breach of the Data Protection Act ( DPA )?

How many reports of serious breaches of the DPA have been reported to the ICO in the last 3 years?

Of those reported breaches, how many were investigated by the ICO?

Of those reported breaches that were investigated, how many companies or individuals were fined?

How many times was the maximum fine imposed on those individuals or companies that were fined?

Of the companies or individuals investigated, how many were government departments or government related?

Of those government departments, how many were fined?

Of those government departments, how many were fined the maximum amount?

Yours faithfully,

Frank Mustill

Information Commissioner’s Office

Link: [1]File-List

21st October 2009

Case Reference Number IRQ0274721

Dear Mr Mustill

Request for Information

Thank you for your e-mail sent earlier today, in which you have asked us
to provide you with various items of information held by the Information
Commissioner's Office (ICO) relating to serious breaches of the Data
Protection Act 1998 (the DPA).

Your request has been passed to the Internal Compliance Team, and is being
dealt with in accordance with the Freedom of Information Act 2000 (FOIA)
under the reference number shown above. 

Before we are in a position to begin to collate the information you have
asked for, it would be helpful if you could clarify the scope of your
request. 

Firstly, you have asked us to “… confirm the maximum penalty
(monetary) that you could impose on a company or individual in relation to
a serious breach of the DPA?”. 

The Information Commissioner and the Director of Public Prosecutions do
have powers to commence proceedings against an organisation or individual
for a criminal offence under the DPA, but only the Court in which a case
is heard can impose a monetary penalty.  At the moment the statutory
maximum fine is £5000 (or on conviction on indictment, an unlimited
fine). 

Further information about the offences under the DPA can be found in
Chapter 9 (page 71) of our publication ‘The Data Protection Act 1998 –
Legal Guidance’, which is available on our website via the following
link:

[2]http://www.ico.gov.uk/upload/documents/l...

Secondly, you have asked us to advise you “How many reports of serious
breaches of the DPA have been reported to the ICO in the last 3 years?”.

As you may be aware there are a number of provisions within the DPA which,
if breached, could result in a complaint being made to the ICO and
appropriate action being taken.  However, what constitutes a
‘serious’ breach of the DPA is subjective, and will depend on the
point of view of those involved.  We would therefore be grateful if you
could clarify what you believe to be a serious breach of the DPA.

For example, are you interested in those breaches which have resulted in a
criminal offence being considered?  Are you also interested in those
which have resulted in enforcement action being taken, where a breach of
one of the eight data protection principles has occurred (if a data
controller then fails to comply with an enforcement notice they will have
committed a criminal offence).  Or are you interested in any other
particular type of breach of the DPA, where the ICO has considered the
complaint under s42 of the DPA (as a ‘request for assessment’), and
either upheld the complaint (whether remedial action was required to be
taken or not), or has not upheld the complaint?

 

Further information about the DPA complaints process can be found on our
website at the following link:

[3]http://www.ico.gov.uk/complaints/data_pr...

You may also find it helpful to have a look at our booklet ‘The Data
Protection Act 1998 – When and How to Complain’, which appears as a
download at the foot of the page accessed via the link above.

If you can provide us with the clarification we need on what you consider
to be a ‘serious’ breach of the DPA we will then begin to process your
request, and provide you with the level of detail you have asked for
relating to the various categories of information listed in your e-mail. 
In accordance with the FOIA we will then provide you with the information
you have requested within 20 workings days or receipt of that additional
information. 

When you reply to this email please be careful not to amend the
information in the ‘subject’ field. This will ensure that the
information is added directly to your case. However, please be aware that
this is an automated process; the information will not be read by a member
of our staff until your case is allocated to a request handler.

Yours sincerely

Antonia Swann

Assistant Internal Compliance Manager

Information Commissioner's Office

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

Tel: 01625 545894

[4]www.ico.gov.uk

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 01625 545 700 Fax: 01625 524 510 Web: www.ico.gov.uk

References

Visible links
1. file:///tmp/radAE251_files/filelist.xml
2. http://www.ico.gov.uk/upload/documents/l...
3. http://www.ico.gov.uk/complaints/data_pr...
4. http://www.ico.gov.uk/

Dear Antonia Swann,

Case Reference Number IRQ0274721

Thank for your letter of the 21st October.

I will try and address your points in order.

I note with interest the very small sum of £5,000 for the statutory maximum fine! This is hardly a deterrent and would seem somewhat of a " token gesture " by way of a fine? Am I correct in thinking that currently the ICO are attempting to have the maximum fine increased? If this is correct, what is the proposed new maximum fine?

How many successful prosecutions has the ICO fielded in the last 3 years and what were the levels of fine imposed on each occasion by the courts ( given the potential use of unlimited fines )?

How many times has the maximum fine been given out in the last 3 years?

Yes I am interested in those breaches which have resulted in a criminal offence being considered.
In those cases that have been considered for criminal action, how many were finally subject to criminal proceedings and what was the outcome in each case?

Yes I am interested in those breaches which have resulted in enforcement action being taken, where a breach of one of the eight data protection principles has occurred.
What enforcement action was taken in each case?

Yes I am interested in those breaches where the ICO has considered the complaint under s42 of
the DPA (as a ‘request for assessment’) and upheld the complaint(whether remedial action was required to be taken or not).
What was the outcome in each case?

Yes I am interested in those breaches where the ICO has considered the complaint under s42 of
the DPA (as a ‘request for assessment’) and has not upheld the complaint?
How many complaints were not upheld?

I am particularly interested in Seventh Principle of the DPA - " Appropriate technical and organisational measures shall be taken against
unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data ".
How many fines have been levied specifically in relation to the loss of data?
How many times was the maximum fine imposed in relation to the loss of data?

How many undertakings have been made by companies and individuals to comply with the DPA in the last 3 years and how many reported breaches of those undertakings have taken place?

Hopefully that clarifies the situation for you in relation to all my questions now raised in both letters?

Yours faithfully,

Frank Mustill

Information Commissioner’s Office

Link: [1]File-List

27th October 2009

Case Reference Number IRQ0274721

Dear Mr Mustill

Request for Information

Thank you for your e-mail of 22 October 2009, in which you have provided
the clarification we asked for further to your original request for
information dated 21 October.

As you know the Internal Compliance Team will deal with your request in
accordance with the Freedom of Information Act 2000, under the reference
number shown above.  We will therefore respond to your request by 19
November 2009, which is 20 working days from the day after we received the
additional information we asked for.  We will also provide a response to
the more general queries you have raised by this date.

If you wish to add further information or evidence to your case please
reply to this email, being careful not to amend the information in the
‘subject’ field. This will ensure that the information is added
directly to your case. However, please be aware that this is an automated
process; the information will not be read by a member of our staff until
your case is allocated to a request handler.

Yours sincerely

Antonia Swann

Assistant Internal Compliance Manager

Information Commissioner's Office

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

Tel: 01625 545894

[2]www.ico.gov.uk

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 01625 545 700 Fax: 01625 524 510 Web: www.ico.gov.uk

References

Visible links
1. file:///tmp/radF4CA2_files/filelist.xml
2. http://www.ico.gov.uk/

Information Commissioner’s Office

1 Attachment

Link: [1]File-List

10th November 2009

Case Reference Number IRQ0274721

Dear Mr Mustill

Further to my e-mail of 27 October 2009 we have again reviewed your
request for information, as detailed in your e-mails of 21 and 22 October,
and would be grateful for further clarification on one last point.

In your second e-mail of 22 October you effectively submitted a revised
request for information, which we have summarised as detailed in the
attachment.  I hope you consider this to be an accurate reflection of
your revised request, but please let me know if any amendments are needed.

However, when we looked at this against your original request of 21
October we noted that in your revised request you did not make any
specific reference to the number or nature of Data Protection Act
complaints relating to government departments, or which were government
related.

Therefore, please can you confirm if you would like us to provide you with

a)  the information listed in the attached summary;

b)  any additional information relating to government departments (for
example, we could add to the attached summary the three final questions
listed in your e-mail of 21 October); and

c)  any additional information which, in your view, has not been included
in the summary.

If you can provide us with a response to this e-mail by the end of the
tomorrow (11^th November) we will still endeavour to provide you with a
response by 19 November.  However, if we hear from you after 11 November
we may have to revise our original deadline for our response, and will
advise you of this accordingly.

We look forward to hearing from you again shortly.

Yours sincerely

Antonia Swann

Assistant Internal Compliance Manager

Information Commissioner’s Office

01625 545894

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 01625 545 700 Fax: 01625 524 510 Web: www.ico.gov.uk

References

Visible links
1. file:///tmp/rad2880D_files/filelist.xml

Information Commissioner’s Office

Link: [1]File-List

17th November 2009

Case Reference Number IRQ0274721

Dear Mr Mustill

Request for Information

Further to my last e-mail of 10^th November I note from our records, as
well as the relevant entry on the ‘What Do They Know?’ website, that
you have not yet been able to respond to my last enquiry.

In the circumstances can I suggest that we will deal with your request as
detailed in your last e-mail to me of 22 October, which I then summarised
as per the attachment to my e-mail of 10 November, and we will provide you
with a response by 26 November 2009 (thereby extending the original
deadline by 5 working days).

If you then decide that you would like any additional information relating
specifically to the number of government departments or government related
data controllers that have been reported to the ICO for breaches of the
Data Protection Act 1998 (as indicated in your original e-mail of 21
October 2009) then please let us know, and we deal with this as an
additional request for information.

Yours sincerely

Antonia Swann

Assistant Internal Compliance Manager

Information Commissioner’s Office

01625 545894

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 01625 545 700 Fax: 01625 524 510 Web: www.ico.gov.uk

References

Visible links
1. file:///tmp/radDFF07_files/filelist.xml

Information Commissioner’s Office

1 Attachment

Link: [1]File-List

26th November 2009

Case Reference Number IRQ0274721

Dear Mr Mustill

Request for Information

Further to my last e-mail of 17 November 2009, we are now in a position to
provide you with a response to your request for information as detailed in
the summary I sent to you on 10 November. 

Firstly I shall respond to the query you raised in your e-mail of 22
October, in which you referred to the current maximum fine of £5000 for a
breach of the Data Protection Act 1998 (DPA) in a Magistrates Court, and
asked “Am I correct in thinking that currently the ICO are attempting to
have the maximum fine increased? If this is correct, what is the proposed
new maximum fine?”

It is the Criminal Justice and Immigration Act which contains tougher
sanctions which will enable the ICO to impose much higher fines on
organisations or individuals who fail to comply with the DPA, but the
legislation is yet to be passed, and the detail you are interested in has
not been finalised.  The first link below will take you to a press
release issued by the ICO in May 2008 which details our initial reaction
to the proposals, whilst the second link will take you to the latest
position as described on our Frequently Asked Questions page:

[2]http://www.ico.gov.uk/upload/documents/p...

[3]http://www.ico.gov.uk/Global/faqs/genera...

Turning to your request for information, you have asked for various items
of information relating to requests for assessment received by the
Information Commissioner’s Office (ICO) under section 42 of the DPA. 
Although you are particularly interested in statistics for the last 3
years, as much of our reporting is done by financial year some of our
responses have been compiled from records dating from 1^st April 2009 to
30^th March 2009, but have also taken into account the latest figures up
until 31^st October 2009 (with annual breakdowns shown where appropriate),
whilst due to the way in which our records management processes have
changed, some records only date back to April 2007.  I have clarified the
relevant dates in each of the responses detailed below. 

1)         How many successful prosecutions has the ICO fielded in
the last 3 years and what were the levels of fine imposed on each occasion
by the courts (given the potential use of unlimited fines )?

Prosecutions under the DPA for the previous three years are as follows:

April 2006 to March 2007 – 14

April 2007 to March 2008 – 10

April 2008 to March 2009 – 14

April 2009 to October 2009 – 6

The fines imposed for each offence committed in the first three years can
be found in the relevant Annual Report on our website (page 56 for
2006/2007, page 39 for 2007/2008 and page 45 for 2008/2009).  The links
are given below:

[4]http://www.ico.gov.uk/upload/documents/l...

[5]http://www.ico.gov.uk/upload/documents/l...

[6]http://www.ico.gov.uk/upload/documents/l...

The relevant information we hold for prosecutions from April 2009 to the
end of October 2009 have not yet been published, but details are as
follows:

+-----------------------------------------------------------------------------+
|Defendant |Offence|Court |Date of |Result |Sentence |Costs |
| | | | | | | |
| | | |Hearing | | | |
|------------+-------+----------------+--------+---------+----------+---------|
|Motunrayo |S17 |City of London |19/05/09|Convicted|£250 |£427.40 |
|Adojutelegan| |Magistrates | | | | |
|------------+-------+----------------+--------+---------+----------+---------|
|Metro 3 |S17 |City of London |19/05/09|Convicted|£250 |£448.00 |
|Staffing Ltd| |Magistrates | | | | |
|------------+-------+----------------+--------+---------+----------+---------|
|Ian Kerr |S17 |Macclesfield |27/05/09|Convicted|Sentenced | |
| | |Magistrates | | |by | |
| | | | | |Knutsford | |
| | | | | |Crown | |
| | | | | |Court | |
|------------+-------+----------------+--------+---------+----------+---------|
|Ian Kerr |S17 |Knutsford Crown |16/07/09|Convicted|£5000 |£1187.20|
| | |Court | | | | |
|------------+-------+----------------+--------+---------+----------+---------|
|Robert |S17 |Newcastle-u-Lyne|20/10/09|Convicted|£500 (for|£0 |
|Bailey Moore| |Magistrates | | |fine each | |
| | | | | |defendant | |
|------------+-------+----------------+--------+---------+----------+---------|
|t/a Moores |S17 |Newcastle-u-Lyne|20/10/09|Convicted|£500 fine|£776.40 |
|Chartered | |Magistrates | | |(for each | |
|management | | | | |defendant)| |
+-----------------------------------------------------------------------------+

2)         How many times has the maximum fine been given out in
the last 3 years?

The maximum fine £5000 has not been imposed at all since April 2006
(although was imposed twice in the year 2005/2006).  I would mention that
the conviction referred to in the table above, when Ian Kerr was sentenced
to a £5000 fine by Knutsford Crown Court on 16 July 2009, does not fall
within the ‘maximum fine’ remit in this instance as the court could
have imposed an unlimited fine.

3)         Of those cases that have been considered for criminal
action, how
many were finally subject to criminal proceedings and what was the
outcome in each case?

According to the records held by our Data Protection Regulatory Action
Division since 1^st April 2006 there have been 355 cases formally referred
to them for consideration of prosecution.  Many of these would relate to
the ICO’s own non-notification exercise (identifying those individuals
or organisations who are processing personal data without being registered
to do so), rather than complaints made to the ICO under s42 of the DPA. 
Of those 355 referrals, as the response to Q1 above shows, criminal
proceedings were pursued in 43 of those cases. 

4)         In those cases where a breach of one of the eight data
protection principles has occurred, what enforcement action was taken in
each case?

Since April 2007, from when detailed records of enforcement action have
been kept, where a breach of one of the 8 principles has occurred
enforcement was recommended in 131 cases, which resulted in 75 enforcement
actions. These are broken down into 46 undertakings obtained, 10
enforcement notices being served, 15 cases closed with no enforcement
notices being served, 3 informally resolved and 1 pending.

The following link gives details of all the enforcement notices issued by
the ICO and the undertakings signed by data controllers since January
2008:

[7]http://www.ico.gov.uk/what_we_cover/data...

5)         In those cases where the ICO has considered the
complaint under s42 of the DPA (as a ‘request for assessment’) and
upheld the complaint (whether remedial action was required to be taken or
not), what was the outcome in each case?

Between 1^st April 2006 and 31^st October 2009 the ICO received in excess
of 14,000 complaints under s42 of the DPA which indicated that the data
controller in question had failed to comply with the requirements of the
DPA (ie the complaint was upheld).  Most of these complaints are dealt
with by our Customer Services Team and our Casework & Advice Division by
way of informal resolution, with only a relatively small proportion of
those cases requiring the more formal regulatory action carried out by our
Regulatory Action Division.

The outcome of these cases is recorded as either ‘Compliance Unlikely
– no remedial action taken’ or ‘Compliance unlikely – remedial
action taken’. 

6)         In those cases where the ICO has considered the
complaint under s42 of the DPA (as a ‘request for assessment’), how
many complaints were not upheld?

Between 1^st April 2006 and 31^st October 2009 our records show that the
ICO received 7,752 complaints under s42 of the DPA which indicated that
the data controller in question had in fact complied with the requirements
of the DPA (ie the complaint was not upheld). 

The outcome of these cases is recorded as ‘Compliance Likely’

7)         How many fines have been levied specifically in
relation to the loss of data?

Given that the loss of any personal data is an issue of compliance by the
data controller with the 7^th data protection principle, the ICO can only
address this in the first instance by issuing an enforcement notice
against the data controller in question, instructing them to ensure
compliance with the DPA in the future.  If a data controller then fails
to comply with an enforcement notice they will be guilty of an offence
under s47(1) of the DPA. 

Of those cases which have resulted in the ICO initiating criminal
proceedings against a data controller for failing to comply with an
enforcement notice (ie s47), none since 1^st April 2006 have related to
the loss of personal data by a data controller. 

8)         How many times was the maximum fine imposed in relation
to the loss of data?

As suggested in 7) above, since 1^st April 2006 no fine has been imposed
in relation to the loss of personal data. 

9)         How many undertakings have been made by companies and
individuals to comply with the DPA in the last 3 years and how many
reported breaches of those undertakings have taken place?

As referred to in 4) above, since 1^st April 2007 46 undertakings have
been signed. 

Due to the way in which our records are managed, unfortunately we are not
in a position to provide you with a response to the question “… how
many reported breaches of those undertakings have taken place?”.  I
will explain in more detail below why this is the case, but in brief,
section 12 of the Freedom of Information Act 2000 (FOIA) makes clear that
a public authority (such as the ICO) is not obliged to comply with an FOIA
request if the authority estimates that the cost of complying with the
request would exceed the ‘appropriate limit'. The ‘appropriate
limit’ for the ICO, as determined in the ‘Freedom of Information and
Data Protection (Appropriate Limit and Fees) Regulations 2004’ is
£450. We have determined that £450 would equate to 18 hours work.

Whilst the information you have requested is likely to sit within our
electronic case management system, this system is not set up to easily
provide us with the type of information you have requested. Generally
speaking this is not the sort of information we would need for our own day
to day business purposes.

For example, in order to establish how many data controllers had failed to
comply with the requirements set out in the undertaking they had signed,
we would need to conduct a search of our records to establish how many
complaints we had received about each data controller since they had
signed that undertaking.  Taking into account the requirements of each
undertaking signed by a data controller, we would then need to conduct a
manual search of our records to establish how many of those complaints
about that data controller related to the same issue previously addressed
(for example, loss of personal data). 

We have estimated that for each undertaking signed by each data controller
it would take on average 50 minutes to conduct a thorough search and check
of all the complaints received against that data controller (assuming an
average of 10 complaints had been made for each data controller, and each
check of each complaint taking 5 minutes).  Given that we know 46
undertakings have been signed since April 2007, we have estimated that it
would take in excess of 36 hours to carry out the necessary searches and
checks needed to locate, retrieve and extract the information you have
asked for.

This is well in excess of the 18 hours mentioned above, which would accrue
a charge of £450.  It is for this reason, and in accordance with section
12 of the FOIA, that we are not obliged to comply with this part of your
request for information.

I hope that this provides you with the information you require.  However,
if you are dissatisfied with this response and wish to request a review of
our decision or make a complaint about how your request has been handled
you should write to the Internal Compliance Team at the address below or
e-mail [8][email address]

Your request for internal review should be submitted to us within 40
working days of receipt by you of this response. Any such request
received after this time will only be considered at the discretion of the
Commissioner.

If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation.  To make such an application, please write
to the Case Reception Team, at the address below or visit the
‘Complaints’ section of our website to make a Freedom of Information
Act or Environmental Information Regulations complaint online.

 

A copy of our review procedure is attached.

Yours sincerely

Antonia Swann

Assistant Internal Compliance Manager

Information Commissioner's Office

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

Tel: 01625 545894

[9]www.ico.gov.uk

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 01625 545 700 Fax: 01625 524 510 Web: www.ico.gov.uk

References

Visible links
1. file:///tmp/rad1245E_files/filelist.xml
2. http://www.ico.gov.uk/upload/documents/p...
3. http://www.ico.gov.uk/Global/faqs/genera...
4. http://www.ico.gov.uk/upload/documents/l...
5. http://www.ico.gov.uk/upload/documents/l...
6. http://www.ico.gov.uk/upload/documents/l...
7. http://www.ico.gov.uk/what_we_cover/data...
8. mailto:[email address]
9. http://www.ico.gov.uk/

Looking for an EU Authority?

You can request documents directly from EU Institutions at our sister site AskTheEU.org . Find out more .

AskTheEU.org