The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010

Statutory Instruments

2010 No. 31

Data Protection

The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010

Made

6th January 2010

Laid before Parliament

12th January 2010

Coming into force

6th April 2010

The Secretary of State has consulted the Information Commissioner in accordance with section 67(3)(b) of the Data Protection Act 1998(1).

Accordingly, the Secretary of State, in exercise of the powers conferred by sections 55A(5) and (7) and 55B(3)(b) of that Act(2), makes the following Regulations:

Citation, commencement and interpretation

1.—(1) These Regulations may be cited as the Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 and come into force on 6th April 2010.

(2) In these Regulations references to sections are references to sections of the Data Protection Act 1998.

(3) In these Regulations—

“address” is construed in accordance with section 16(3);

“contravention” is construed in accordance with section 55A.

Prescribed amount

2.  The prescribed amount for the purposes of section 55A(5) is £500,000.

Notices of intent

3.  For the purposes of section 55B(3)(b) the prescribed information is—

(a)the name and address of the data controller;

(b)the grounds on which the Commissioner proposes to serve a monetary penalty notice, including—

(i)the nature of the personal data involved in the contravention,

(ii)a description of the circumstances of the contravention,

(iii)the reason the Commissioner considers that the contravention is serious,

(iv)the reason the Commissioner considers that the contravention is of a kind likely to cause substantial damage or substantial distress, and

(v)whether the Commissioner considers that section 55A(2) applies or that section 55A(3) applies, and the reason the Commissioner has taken this view;

(c)an indication of the amount of the monetary penalty the Commissioner proposes to impose and any aggravating or mitigating features the Commissioner has taken into account; and

(d)the date on which the Commissioner proposes to serve the monetary penalty notice.

Monetary penalty notices

4.  For the purposes of section 55A(7) the prescribed information is—

(a)the name and address of the data controller;

(b)details of the notice of intent served on the data controller;

(c)whether the Commissioner received written representations following the service of the notice of intent;

(d)the grounds on which the Commissioner imposes the monetary penalty, including—

(i)the nature of the personal data involved in the contravention,

(ii)a description of the circumstances of the contravention,

(iii)the reason the Commissioner is satisfied that the contravention is serious,

(iv)the reason the Commissioner is satisfied that the contravention is of a kind likely to cause substantial damage or substantial distress, and

(v)whether the Commissioner is satisfied that section 55A(2) applies, or that section 55A(3) applies, and the reason the Commissioner is so satisfied;

(e)the reasons for the amount of the monetary penalty including any aggravating or mitigating features the Commissioner has taken into account when setting the amount;

(f)details of how the monetary penalty is to be paid;

(g)details of, including the time limit for, the data controller’s right of appeal against—

(i)the imposition of the monetary penalty, and

(ii)the amount of the monetary penalty; and

(h)details of the Commissioner’s enforcement powers under section 55D(3).

Michael Wills

Minister of State

Ministry of Justice

6th January 2010

EXPLANATORY NOTE

(This note is not part of the Regulations)

These Regulations make provision in relation to the power of the Information Commissioner to impose monetary penalty notices on data controllers under section 55A of the Data Protection Act 1998.

Regulation 2 prescribes £500,000 as the maximum amount the Information Commissioner may impose as a monetary penalty.

Regulation 3 prescribes the information the Information Commissioner must include in a notice of intent, which he serves on a data controller when he intends to impose a monetary penalty.

Regulation 4 prescribes the information the Information Commissioner must include in a monetary penalty notice.

The full Impact Assessment is available at the Ministry of Justice website (www.justice.gov.uk). For more details please contact Belinda Lewis at 0203 334 4550 or to Belinda.Lewis@justice.gov.gsi.uk

(2)

Sections 55A and 55B were inserted into the Data Protection Act 1998 by section 144 of the Criminal Justice and Immigration Act 2008 (c. 4).

(3)

Section 55D was inserted into the Data Protection Act 1998 by section 144 of the Criminal Justice and Immigration Act 2008 (c. 4).