Data Protection: New Enforcement Powers!
Introduction
The DPA came into force on 1 March 2000. It provides a framework of eight guiding principles that “balance[s] the legitimate needs of organisations to collect and use personal data for business and other purposes against the right of individuals to respect for the privacy of their personal details”.1
Under the DPA, pension scheme trustees are regarded as “data controllers” because they process data about scheme members for the purposes of administering and operating the pension scheme. As “data controllers”, trustees must register with the IC and ensure that any personal data for which they are responsible is processed in a manner which complies with the DPA.
In this Alert:
Key points
- As “data controllers”, pension scheme trustees must ensure that the personal data for which they are responsible is processed in a manner which complies with the DPA.
- From 6 April 2010, trustees could be fined up to £500,000 for a “serious” breach of the data protection principles which occurs on or after that date.
- Trustees should consider reviewing their data protection practices with their legal advisers and ensure they are compliant with the DPA.
Compliance
An essential starting point for trustees is to ensure that they are complying with the spirit of the eight data protection principles. Broadly these require personal data to be:
- processed fairly and lawfully;
- obtained and processed in accordance with specified and lawful purposes;
- adequate, relevant and not excessive in relation to the purpose(s) for which it is processed;
- accurate and, where necessary, kept up to date;
- kept only for as long as is necessary;
- processed in accordance with the individual’s rights under the DPA;
- kept secure and sufficient measures taken against unlawful or unauthorised processing (and against accidental loss, destruction of or damage to it); and
- kept within the EEA unless, on a transfer outside that area, the information will be adequately protected.
Current Penalties
The IC is responsible for taking enforcement action in relation to the DPA.
If trustees fail to meet their obligations, currently they may be served with an enforcement notice. This is issued where the IC is satisfied that an organisation has failed (or is failing) to comply with any of the data protection principles, and can require that specific steps are taken (or not taken as the case may be) to achieve compliance. To determine whether an organisation is meeting the requirements, the IC may also serve an information notice. Failure to comply with an enforcement or an information notice is a criminal offence.
The IC’s new powers
With effect from 6 April 2010, the IC will have additional power to impose a fine of up to £500,000 where it is satisfied that there has been a serious breach of one or more of the data protection principles which is likely to cause substantial damage or distress, and either:
- the breach was committed deliberately; or
- the organisation knew (or should have known) that there was a risk of a serious breach but failed to take reasonable steps to prevent it.
In its Guidance, the IC explains that, in general, a data controller with substantial resources is more likely to attract a higher fine than one with limited resources for a similar contravention of the data protection principles.
The Government hopes that an increase in the sanctions faced by data controllers will help increase compliance and provide individuals with greater confidence that their information is being handled correctly.2
Administrators
A particular issue for pension scheme trustees is the use of administrators. With this in mind, the IC has produced a Good Practice Note specifically for trustees, explaining how they should discharge their duties. Broadly, they need to ensure that any personal data which is passed to their administrators remains secure and is only processed in accordance with their instructions. This requirement should be addressed in their contract with the administrator.
Action
The introduction of a power to impose a high penalty for non-compliance with the DPA will inevitably mean a sharper focus on data protection practices. Now is the time for trustees to review their procedures, with their legal advisers, and revise them as necessary.
1 www.ico.gov.uk
2 Consultation Paper CP48/09: Civil Monetary Penalties, Setting the maximum penalty