Directors to pay the Digital Economy bill?
The Information Commissioner for the UK, Elizabeth Denham, has suggested that directors whose companies have violated data protection laws should and could be made personally liable to pay any resulting fines. This statement was made during a House of Commons Public Bill Committee meeting when discussing the most recent draft of the Digital Economy Bill. The Bill is designed to support the ‘digital transformation of government’ and help individuals and businesses to access digital communications services and promote investment in the associated infrastructure. The Bill controversially includes provisions enabling and regulating data sharing between public authorities and private companies.
The Committee’s view is that fines issued by the Information Commissioner’s Office are often ineffective in practice, since a large proportion of fines are made against offending companies as they enter into administration and, accordingly, end up not being recovered. The ICO can issue fines of up to £500,000 to data controllers (which includes all companies) for serious breaches of the Data Protection Act 1998, where such breach is likely to cause “substantial damage”. Ms Denham has suggested that attaching personal liability to directors could ensure that more fines are actually paid, by avoiding the situation in which company directors can “duck away from fines by putting their company into liquidation.”
All guidance by the Information Commissioner is supplementary and subordinate to the black letter law; however, Ms Denham’s clear message to company directors and their advisers is that directors and companies alike should revisit their insurance provisions and review the company data handling procedures. This position may be further complicated upon the UK’s exit from the European Union, since data processing provisions shall necessarily form an important part of the ongoing negotiations.
The prospect of personal liability for directors in this regard would have profound effects on the risks attached to being a company director. Accordingly, directors’ and officers’ liability insurance premiums would be likely to increase. At this stage, it would be advisable for directors to check that their cover protects against financial losses, including those resulting from fines, the devaluation of the company, and legal expenses to a satisfactory level. This can provide directors with a safety net to fall back on, but reliance on insurance is always best avoided.
The best way that directors can protect their own and the company’s interests in respect of data protection, though, is to ensure that the company maintains a clear and well thought-through data handling policy that is fit for purpose. In this regard, a full review of company policies and practices would be advisable to ensure compliance not only with legislation, but also the ICO’s guidance.
For further information, or to find out if your data protection and IT policies and practices leave you adequately protected, please contact Nick Humphreys or Alex Brooks on the email addresses below.