A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
The main data protection offences relate to the following:
Notification - particularly where an organisation has failed to notify the Information Commissioner's Office (ICO) within 72 hours about the way they process personal information or to make necessary changes to their notification entry.
Obtaining or disclosing personal data without the consent of the data controller. Employees have been prosecuted for selling their employers' information or even disclosing it to friends or family for their own purposes. Employees also need to be trained to recognise attempts to 'con' information out of them by unscrupulous individuals who trade in this type of information.
- Breaching formal notices issued by the Information Commissioner.
The Information Commissioner has the power to prosecute those who may have committed a criminal offence. An enforcement notice could be issued if an organisation has not complied with one or more of the data protection principles. The Information Commissioner can issue an information notice to demand information needed to consider a complaint or decide if a principle has been breached. This is usually a last resort if the information is being withheld. Both notices can be appealed to the Information Tribunal.
The Information Commissioner has also had the power to impose civil penalties on any data controller where:
- there has been a serious violation of data protection principles
- the violation was likely to cause substantial damage or distress
- the violation was deliberate or the data controller knew (or should have known) that a damaging or distressing violation was possible but failed to take reasonable steps to prevent it
The data controller will be served with a notice of intent detailing the nature, circumstances and seriousness of the violation along with an indication of the penalty amount. The maximum penalty is capped at £500,000.
Failing to notify a breach when required to do so can result in a significant fine up to 10 million euros or 2 per cent of your global turnover.
Data controllers can make a representation to the Information Commissioner (providing information on the mitigating circumstances and any relevant documents and evidence) on receipt of a notice of intent.
You could be liable for a financial penalty if you fail to notify or comply with an enforcement or information notice. If you are convicted of any other offence under the Act, you could face a fine.