F1Personal data breach: enforcement5C.
(1)
If a service provider fails to comply with the notification requirements of regulation 5A, the Information Commissioner may issue a fixed monetary penalty notice in respect of that failure.
(2)
The amount of a fixed monetary penalty under this regulation shall be £1,000.
(3)
Before serving such a notice, the Information Commissioner must serve the service provider with a notice of intent.
(4)
The notice of intent must—
(a)
state the name and address of the service provider;
(b)
state the nature of the breach;
(c)
indicate the amount of the fixed monetary penalty;
(d)
include a statement informing the service provider of the opportunity to discharge liability for the fixed monetary penalty;
(e)
indicate the date on which the Information Commissioner proposes to serve the fixed monetary penalty notice; and
(f)
inform the service provider that he may make written representations in relation to the proposal to serve a fixed monetary penalty notice within the period of 21 days F2beginning when the notice of intent is served.
(5)
A service provider may discharge liability for the fixed monetary penalty if he pays to the Information Commissioner the amount of £800 within F3the period of 21 days beginning when the notice of intent is received.
(6)
The Information Commissioner may not serve a fixed monetary penalty notice until the time within which representations may be made has expired.
(7)
The fixed monetary penalty notice must state—
(a)
the name and address of the service provider;
(b)
details of the notice of intent served on the service provider;
(c)
whether there have been any written representations;
(d)
details of any early payment discounts;
(e)
the grounds on which the Information Commissioner imposes the fixed monetary penalty;
(f)
the date by which the fixed monetary penalty is to be paid; and
(g)
details of, including the time limit for, the service provider’s right of appeal against the imposition of the fixed monetary penalty.
(8)
A service provider on whom a fixed monetary penalty is served may appeal to the Tribunal against the issue of the fixed monetary penalty notice.
(9)
Any sum received by the Information Commissioner by virtue of this regulation must be paid into the Consolidated Fund.
(10)
In England and Wales F4..., the penalty is recoverable—
(a)
if F5the county court so orders, as if it were payable under an order of that court;
(b)
if the High Court so orders, as if it were payable under an order of that court.
(11)
In Scotland, the penalty may be enforced in the same manner as an extract registered decree arbitral bearing a warrant for execution issued by the sheriff court of any sheriffdom in Scotland.
F6(12)
In Northern Ireland, the penalty is recoverable—
(a)
if a county court so orders, as if it were payable under an order of that court;
(b)
if the High Court so orders, as if it were payable under an order of that court.
(13)
The Secretary of State may by regulations made by statutory instrument amend this regulation so as to substitute a different amount for the amount for the time being specified in paragraph (2) or (5).
(14)
Regulations under paragraph (13) may make transitional provision.
(15)
Before making regulations under paragraph (13), the Secretary of State must consult—
(a)
the Information Commissioner, and
(b)
such other persons as the Secretary of State considers appropriate.
(16)
A statutory instrument containing regulations under this regulation may not be made unless a draft of the instrument has been laid before, and approved by a resolution of, each House of Parliament.