You are on page 1of 2

ACS Law fact sheet • Mr Crossley was served with a monetary penalty for a serious breach of the Data

Protection Act - the law the ICO is responsible for regulating. The ICO’s remit does not cover looking into an individual’s more general business practices. The power to impose a civil monetary penalty is as set out in the Data Protection Act and the statutory guidance is set out in Guidance about the issue of monetary penalties. Although the breach itself and the number of people affected was taken into account, the primary reason Mr Crossley was issued with a monetary penalty was because he did not have adequate systems and procedures in place to keep personal data secure. The data was also sensitive in its nature and its disclosure was of a kind likely to cause substantial distress. Victims of the data breach are entitled to claim compensation under the Data Protection Act but this right can only be enforced by the victims themselves through the courts. The ICO penalty notices will though assist any victims who want to take such action. You can find out more on how to do this on our website at: tion/practical_application/claiming_compensation_2.0.pdf The penalty is not kept by the Commissioner and, whatever its level, it can not be used to provide redress for individuals. It must be paid into the HM Treasury’s Consolidated Fund. The Commissioner cannot impose a monetary penalty on an individual without taking proper account of that individual’s financial circumstances. The guidelines he must follow when deciding the amount of a monetary penalty – which have been approved by Parliament – clearly state that the likely impact on an individual must be taken into account. The guidelines make clear that the purpose of a penalty is not to impose undue financial hardship and that the Commissioner will take into account any proof of genuine financial hardship which may be supplied. In this case Mr Crossley provided the Commissioner with a sworn statement verifying his means. After receiving written representations and a sworn statement from Mr Crossley verifying his means the Commissioner had no legal power to inquire further.

The Commissioner must act within the provisions of the Data Protection Act. His decisions are subject to appeal. He may have to justify his decision making and, in particular, the amount of a monetary penalty, to the Court or Tribunal. A monetary penalty is not the same as a fine imposed by the courts for a criminal offence. It is a civil debt that would be taken into account in any bankruptcy proceedings and does not take precedence over other civil debts an individual might have. It would clearly be wrong of the Commissioner to impose a penalty that he knew could not realistically be paid. Doing so would, amongst other things, have the potential to take money away from other legitimate creditors. The ICO’s detailed investigation into the security breach took some time to complete and the legal process that followed further delayed this matter. However, even if ACS Law had still been trading its financial situation following the cyber attack would also have been taken into account by the Commissioner in accordance with the guidelines referred to above. Therefore Mr Crossley trading as ACS Law might still have received a substantially reduced monetary penalty. There was therefore no incentive on Mr Crossley to close his business simply to avoid a higher penalty. Mr Crossley was a sole proprietor of ACS Law and personally liable to pay the monetary penalty in any event.