This briefing explains what a monetary penalty notice (MPN) is and sets out when the Information Commissioner (the Commissioner) can issue an MPN against a business.
What is an MPN?
An MPN is a notice requiring a data controller to pay a fine set by the Commissioner. The amount of the MPN determined by the Commissioner must not exceed £500,000.
Who is a data controller?
A data controller is the person (or business) who decides the purposes for which, and the manner in which, any personal data is processed.
When can an MPN be issued?
In order to issue an MPN the Commissioner must be satisfied that:
- The data controller has seriously contravened the Data Protection Act 1998 or the Privacy and Electronic Communications Regulations 2003; and
- The contravention was likely to cause substantial damage or distress, and either
- the contravention was deliberate; or
- the data controller knew or ought to have known that there was a risk that the contravention would occur, and that it would be likely to cause substantial damage or distress, but still failed to take reasonable steps to prevent it from happening.
In addition, the Commissioner may issue an MPN if a person has seriously contravened any of the requirements of the regulations on privacy and electronic communications.
Before issuing the MPN the Commissioner must serve a notice of intent on the data controller, stating the intention to impose a fine and providing a set length of time to respond. The data controller can contest the issue of the MPN and/or the proposed size of the fine.
The Commissioner must consider any representations and then decide whether to proceed with the imposition of the MPN. This is less likely where the data controller can show that reasonable preventative steps were taken. A data controller can appeal to the Tribunals Services against the imposition of an MPN.
A single breach may be sufficient to meet the threshold of a “serious contravention”. For example:
- Medical records containing sensitive personal data are lost during an office move.
- A failure by a data controller to take adequate security measures to protect electronic files leads to a loss or disclosure of personal data.
- An organisation persistently sends marketing material to recipients who have clearly objected.
What is meant by the term “substantial”?
The likelihood of damage or distress suffered by an individual will have to be considerable in importance, value, degree, amount or extent. For example:
- Inaccurate personal data held by an ex-employer is disclosed in an employment reference, resulting in the loss of a job opportunity for an individual.
- Repeated pre-recorded marketing calls or marketing text messages cause distress or anxiety to a large number of individuals who have not consented to receive those messages, particularly if recipients cannot stop the messages or complain about them because the identity of the caller or sender is concealed.
What is meant by the term “damage”?
Damage is any financial loss suffered by an individual, such as loss of earnings. For example:
- Financial data is lost and an individual becomes the victim of identity fraud.
- Recipients of large numbers of automated calls or messages incur costs when they have to make alternative arrangements to ensure urgent calls can be retrieved, such as doctors’ surgeries or the emergency services.
What is meant by the term “distress”?
Distress could be an injury to feelings or any anxiety suffered by an individual. For example:
- Medical details are stolen and an individual suffers worry and anxiety that their sensitive personal data will be made public, even if it does not actually happen.
- Pre-recorded marketing calls or marketing text messages are made over a period of several weeks to individuals who have not requested them, causing distress or anxiety.
What is meant by the term “deliberate” contravention?
The contravention is deliberate or premeditated. For example:
- A marketing company collects personal data for the purposes of a competition. It then uses the same data for other commercial purposes without informing the individuals concerned.
- A company continues to send marketing faxes to subscribers who are registered on the Fax Preference Service despite their repeated objections.
What is meant by the term “knew or ought to have known”?
A data controller is aware or should be aware of a risk that a contravention will occur. For example:
- A data controller is warned by its IT department that employees are accessing sensitive personal data but fails to carry out a risk assessment or implement a policy of encrypting all laptops and removable media as appropriate.
- A company that makes numerous marketing telephone calls is aware that the system it uses for blocking calls to numbers registered with the telephone preference service may develop a fault but continues to make calls without assessing the likelihood of the fault occurring and the implications if it does.
What factors will determine the amount of the MPN?
A number of factors will be taken into consideration before deciding the level that the MPN will be set at, including:
- Whether the contravention was a “one-off” or part of a series of similar breaches.
- Whether there was a deliberate lack of co-operation (for example, a failure to respond to reasonable requests for information during the investigation).
- What steps were taken once the data controller became aware of the breach (for example, concealing it or voluntarily reporting the contravention).
What steps can a business take to avoid the imposition of an MPN or notice of intent?
- Ensure that the business can provide evidence that it has recognised the risks of handling personal data and has taken action to address the issue (for example, the business has conducted a risk assessment).
- Put in place appropriate policies, practices and procedures to avoid potential data protection breaches within the business (for example, by establishing a robust compliance regime).
- Pay particular attention to data protection issues where the personal data of large numbers of individuals or sensitive data is concerned.
- Implement any codes of practice published by the Commissioner or other regulatory bodies that may be relevant to potential data protection breaches within the business.
- Do not allow any known issues to remain unresolved (for example, rectify any problems with the business’ IT systems as soon as possible).