The Information Commissioner’s Office (ICO) makes clear in its guidance that it cannot award compensation. This is true, but a recent criminal case illustrates that when the ICO is the prosecutor of a criminal charge, it can make an application to the sentencing court for compensation to be ordered, by which the offender must pay money to data subject victims.
Although the civil enforcement powers of the ICO are well known (such as the power to serve civil monetary penalties to a maximum of the higher of £17.5 million or 4% of global annual turnover), its criminal enforcement powers are possibly less well known. However, there are a number of criminal offences in data protection law for which the ICO is the chief prosecutor.
The offence which is most often prosecuted is that at section 170(1) of the Data Protection Act 2018, involving the unlawful obtaining or disclosing of personal data without the consent of the controller. This might happen where, for instance, a departing employee takes with them from the employer a list of individual customers, or, as in the recent case, where someone accesses the records of data subjects on the offender's employer's systems, without justification.
The ICO's most recent prosecution was of a former health adviser at South Warwickshire NHS Foundation Trust, who had accessed the records of 14 patients known to him personally, for no business reason, and without the Trust's knowledge and permission. He was convicted of the offence and was ordered to pay £250 to each of the victims (a total of £3,000).
It is important to note that this was not a fine, or an order for prosecution costs (the ICO's press release does not reveal whether either of those were imposed). Rather, and unusually for a data protection offence, this was a criminal compensation order, made under Section 133 of the Sentencing Act 2020. Under Section 133 a sentencing court may impose such an order, of its own volition or upon application by the prosecutor. There is no express limitation upon the size of the award, but it must be what the court considers appropriate in compensation for any personal injury, loss or damage resulting from the offence. The court must have regard to the offender's means, as well as any representations made by the prosecution or the defence.
In this instance, the ICO has informed Mishcon de Reya that it made the application for the court to consider making the award.
It is notoriously difficult to attach a value to non-material damages arising from a data protection infringement. It is notable that the court considered £250 an appropriate amount. It is assumed that it was in recognition of damage, in the form of distress, although specific details are not available. In this case, the intrusion into the data subject's privacy was serious – a medical record is inherently private and confidential. The fact that this was prosecuted as a criminal offence demonstrates the ICO's attitude towards deliberate infringements involving particularly sensitive personal data. However, the court also had to take into account the defendant's means. Assuming the defendant was not of particularly significant means, a total award of £3,000 could be considered substantial.