Fall-out of failure to look after data
Keep It Legal.
New Data Protection Fining Guidance has been published by The Information Commissioners Office. Philippa Doyle explains what this means for independent healthcare providers and offers some practical take-away tips.
The new guidance covers circumstances where the Information Commissioners Office (ICO) would consider it appropriate to issue a fine and how it determines the amount of any fine imposed. The maximum amount of fines has not changed.
Statutory background
Under the Data Protection Act 2018 (DPA), the ICO may impose a fine where a person has:
- Failed to comply with certain provisions of the UK General Data Protection Regulations (GDPR), an amended version of the EU GDPR, and came into force on 1 January 2021, following Brexit.
- Failed to comply with an information notice, assessment notice or enforcement notice given under Part 6 of the DPA 2018.
- Failed to comply with certain provisions of the UK General Data Protection Regulations (GDPR).
There are two levels of maximum fines – the ‘standard maximum amount’ and the ‘higher maximum’ amount – both of which are large sums which could significantly impact the financial standing of a business. Annex 2 of the guidance sets out which level of maximum fine applies to the relevant provisions of the UK GDPR and the DPA 2018.
The standard maximum is the greater of either £8.7m or 2% of the total worldwide annual turnover. The higher maximum is the greater of either £17.5m or 4% of the total worldwide annual turnover.
If there are multiple infringements arising from the same or linked conduct – ICO will assess on a case-by-case basis whether the incidents are linked – the overall fine will not exceed the specified amount for the gravest infringement.
Consideration factors
When deciding whether to issue a fine, the office will assess each case on an individual basis. However, it must have regard to the factors listed in Article 83 UK GDPR, as well as ensuring the fine imposed is effective, proportionate and dissuasive.
Factors to consider include:
The nature, gravity and duration of the infringement;
The intentional or negligent character of the infringement;
Any action taken by the controller or processor to mitigate the damage suffered by data subjects;
The degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them;
Any relevant previous infringements;
The degree of co-operation with the ICO in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
The categories of personal data affected by the infringement;
The manner in which the infringement became known to the ICO;
Where measures referred to in Article 58(2) UK GDPR have previously been ordered against the controller or processor concerned with regard to the same subject-matter;
Adherence to approved codes of conduct pursuant to Article 40 UK GDPR or approved certification mechanisms pursuant to Article 42 UK GDPR;
Any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained or losses avoided, directly or indirectly, from the infringement.
Determining amount
If the ICO decides to issue a fine, then the amount is calculated using the following five-step approach:
Step 1: Assessment of the seriousness of the infringement;
Step 2: Accounting for turnover – where the controller or processor is part of an undertaking;
Step 3: Calculation of the starting point having regard to the seriousness of the infringement and, where relevant, the turnover of the undertaking;
Step 4: Adjustment to take into account any aggravating or mitigating factors;
Step 5: Assessment of whether the fine is effective, proportionate and dissuasive.
Under extraordinary conditions, the Commissioner has the discretion to lower a penalty if a private healthcare provider or company cannot afford it due to their financial status.
The practitioner or business concerned needs to make a claim of financial hardship. They will bear the responsibility of demonstrating that their circumstances warrant such a decrease.
Where appropriate, the Commissioner may enter an agreement providing additional time to pay a fine or to allow for the payment of the fine in instalments.
Take-aways
The updated guidance has helped provide clarity on both how the ICO reaches its decision and how it subsequently calculates any potential fine.
It is also worth bearing in mind that aside from the potential financial consequence, there may also be reputational damage as a result of a breach.
Therefore, it makes for a timely reminder to independent healthcare providers to:
1. Check their data protection policies are in order, ensuring that they are complying with the latest ICO and UK GDPR requirements;
2. Ensure they have an effective response plan if there is a breach;
3. Ensure staff understand their obligations and what is expected of them. This could be via staff training or even regular internal risk assessments.
If you would like to read the full guidance, visit the ICO website
If you have any queries around any aspect of this article or the ICO guidance, please don’t hesitate to contact Philippa Doyle (right), a partner in Hempson’s healthcare advisory team, by email at p.doyle@hempsons.co.uk