A new Act of Parliament gives the United Kingdom’s Information Commissioner’s Office (ICO) the authority to impose monetary penalties for misuse of personal data in violation of section 55 of the Data Protection Act of 1998 (DPA).
For some years, the ICO has had only limited means of securing compliance with section 55 of the DPA, which makes it a criminal offense to knowingly or recklessly obtain or disclose personal data without consent. While the ICO has had the power to take action against individuals who violated section 55, the imposition of a penalty was left to the courts.
All this changed on May 9, 2008 with the enactment of the Criminal Justice and Immigration Act. The Act grants the ICO the power to impose fines directly for violations of section 55 of the DPA. This increase in the ICO’s authority mirrors that of other U.K. regulators like the Financial Services Authority, which in 2001 obtained the power to impose fines on banks and other financial institutions for data security failures.
Proskauer summer associate Noemi Blasutta contributed to this post.