Many of us will have viewed with considerable satisfaction the news that Monetary Penalty Notices have been served on Christopher Niebel and Gary McNeish, the joint owners of Tetrus Telecoms, who have been inundating us all with unwelcome spam messages. However, are we confident that we would not fall foul of the Information Commissioner ourselves?
Background
In that case, Tetrus Telecoms had sent millions of unlawful spam texts to the public over the past three years in breach of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). Mr Niebel was fined £300,000; Mr McNeish was fined £140,000. Further details of this prosecution are set out on the website of the Information Commissioner.
However, a further examination of recent Monetary Penalty Notices issued by the Information Commissioner’s Office (“ICO”) will cause most businesses a significant amount of discomfort because many of these Notices are served under the Data Protection Act 1998 (“DPA”). Since 6th April 2010 the ICO has had the power to issue Monetary Penalty Notices of up to £500,000 for serious breaches of the DPA as well as for breaches of the PECR.
Whilst the website states that a Monetary Penalty will only be appropriate in the most serious situations, closer examination of the cases reveal some alarming situations in which substantial fines have been imposed. Here are some recent examples:
- On 12th July 2012 a Monetary Penalty of £60,000 was issued to St George’s Healthcare NHS Trust after a vulnerable individual’s sensitive medical details were sent to the wrong address.
- On 16th October 2012 a Monetary Penalty of £150,000 was issued to Greater Manchester Police after the theft of a memory stick containing sensitive personal data from an officer’s home. The device, which had no password protection, contained details of more than a thousand people with links to serious crime investigations.
- On 25th October 2012 a Monetary Penalty of £120,000 was issued to Stoke-on-Trent City Council following a serious breach of the Data Protection Act that lead to sensitive information about a child protection legal case being emailed to the wrong person.
The Information Commissioner states that when deciding the amount of a Monetary Penalty, the Commissioner not only takes into account the seriousness of the breach but also other factors including the size, financial and other resources of a data controller. Where would that leave us?
Summary
For most companies, the level of fines that can now be imposed by the ICO means that, at the very least, they should
take active steps to try to understand those aspects of the business where they may be at risk; and then
implement a plan to ensure that any risks are properly managed.
If they cannot demonstrate that they have taken active steps to avoid any breach the ICO can now impose very substantial fines.