Civil Monetary Penalties for Data Breaches

January 13, 2010

With a draft statutory instrument now laid before Parliament and the publication of the statutory guidance by the Information Commissioner’s Office, there is no longer any real doubt that the new civil monetary penalties regime, foreshadowed in the Criminal Justice and Immigration Act 2008, s 144, will come into force on 6 April 2010. The ICO will be able to order organisations to pay up to £500,000 as a penalty for serious breaches of the Data Protection Act 1998 under ss 55A to 55E of that Act.

According to the Ministry, which published its response to the public consultation ‘Civil Monetary Penalties – Setting the maximum penalty’ on 12 January, a majority of respondents supported the government’s proposal to set a maximum penalty of £500,000.
The ICO has produced final statutory guidance, in accordance with s 55C of the DPA, about how it proposes to use its new power, which has been approved by the Secretary of State for Justice, and was laid before Parliament on 12 January. The guidance can be downloaded from the ICO web site.

The relevant statutory instruments are:
• The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010, which prescribes the maximum amount of a monetary penalty. It also sets out the minimum details to be contained in a notice of intent, and in a monetary penalty notice. This SI is subject to the negative resolution process
• The Data Protection (Monetary Penalties) Order 2010 (see, which sets out procedural details of the issue of a monetary penalty notice following a notice of intent. It also contains details of when enforcement action can be taken, and the power to cancel or vary a monetary penalty notice issued by the Information Commissioner, as well as details of appeal rights of data controllers. This SI is subject to approval by resolution of each House of Parliament.

Taken together, these instruments create a framework for the Information Commissioner to serve a monetary penalty notice on a data controller if he is satisfied there has been both a serious contravention by the data controller of the data protection principles and that the contravention was of a kind likely to cause substantial damage or distress. Such contraventions must be either deliberate or something which the data controller knew would occur (or ought to have known) and of a kind likely to cause substantial damage or substantial distress, but in respect of which he failed to take reasonable steps to prevent. Both instruments will come into force together.
A full explanatory memorandum for the SIs is at

When serving monetary penalties, the Information Commissioner is bound to carefully consider the circumstances, including the seriousness of the data breach; the likelihood of substantial damage and distress to individuals; whether the breach was deliberate or negligent and what reasonable steps the organisation has taken to prevent breaches.

Information Commissioner, Christopher Graham, said: ‘Getting data protection right has never been more important than it is today. As citizens, we are increasingly asked to complete transactions online, with the state, banks and other organisations using huge databases to store our personal details. When things go wrong, a security breach can cause real harm and great distress to thousands of people. These penalties are designed to act as a deterrent and to promote compliance with the Data Protection Act. I remain committed to working with voluntary, public and private bodies to help them stick to the rules and comply with the Act. But I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law.’

Justice Minister, Michael Wills, said:
‘Civil Monetary Penalties of up to half a million pounds will ensure that the Information Commissioner is able to impose robust sanctions on those who commit serious contraventions of the data protection principles.
Most data controllers do comply with the principles but since misuse of even small amounts of personal data can have very serious consequences, it is vital that we do all that we can to prevent non-compliance. Penalties of up to £500,000 will act as a strong deterrent.’

Apparently, of the 52 responses received in the consultation, 27 agreed that £500,000 was the correct maximum level, 8 thought it should be higher, 9 thought there should be a lower level, and 8 did not reply directly to the question.