The Information Commissioner Office (ICO) has certain powers where an organisation has breached data protection legislation which includes the ability to issue a monetary penalty of up to £500,000 and instigate criminal prosecution. Please see Information Commissioner.
An individual may apply to court to enforce his rights where the data controller has failed to respond to certain requests made or notices given by the individual, including:
- a subject access request where the courts may order the data controller to comply with the request;
- a notice requiring the data controller to cease or refrain from processing certain personal data where the courts may require the organisation to comply with the request; and
- a notice requiring the data controller to ensure that no decision significantly affecting the individual is based solely on the automated processing of his personal data, require it to reconsider the automated decision, or take a new decision on a different basis. The court may order the data controller to reconsider the decision or take a new decision on a different basis.
Compensation may also be awarded by the courts to individuals where:
- damage has been caused by breach of the legislation; or
- the individual has suffered distress as a result of a breach.
Certain breaches can lead to criminal prosecution, for example:
- breach of the obligation to notify or inform the ICO of any changes to registrable particulars;
- failure to comply with an information notice, a special information notice or an enforcement notice, or knowingly to make a false statement in response to an information notice;
- knowingly or recklessly obtaining or disclosing personal data without the consent of the data controller or selling or offering to sell data so obtained or disclosed.
Criminal proceedings can be brought by the ICO or the Director of Public Prosecution. Those convicted can be subject to unlimited fines in both the magistrate’s court and the crown court.
The Home Secretary has the power, after consultation, to issue secondary legislation to introduce custodial sentences of up to 12 months on summary conviction, and up to two years imprisonment for a conviction on indictment for those involved in the illegal trade of personal information. The government consulted on the introduction of custodial sentences in 2009/2010. Following the consultation the government said it intended to bring in the new custodial sentences but it is yet to do so. However, custodial sentences for breaches of certain data protection rules may be introduced in the future.
Breaches of data protection can also lead to:
- bad publicity;
- loss of reputation, brand and goodwill;
- loss of customers and future customers.