By Susan Foster, Mintz Levin London
As of April 6, 2010, the UK’s Information Commissioner’s Office (ICO) can levy fines of up to £500,000 for breaches of the Data Protection Act 1998 that are:
• serious in nature
• deliberate or reckless, and
• likely to cause substantial damage or distress to an individual.
The standard for “reckless” non-compliance may take some by surprise: Did the data controller know, or should it have known, that there was a risk of a breach of a kind likely to cause substantial damage or distress? If so, were reasonable steps were taken to prevent the breach?
The ICO has given a specific example that may make IT and privacy officers flinch, but will come as no surprise to those in the U.S. who have been dealing with the likes of Massachusetts 201 CMR 17.00 or the HITECH Act: Does the company have appropriate policies and procedures in place such as the encryption of all laptops and removable media (such as flash drives) to avoid loss of personal data if an employee’s laptop or removable media is stolen? Failing to do so might be considered “reckless” depending on the likely consequences of the loss of personal data contained in the unsecured devices.
For more information, see our our Mintz Levin Client Alert. Also, the ICO has published detailed guidance concerning when fines will be issued, the process for trying to get fines withdrawn or reduced, how to appeal, and payment.