The Fining Guidance sets out how the ICO will approach the consideration of seriousness of an infringement when deciding whether to issue a penalty notice and calculating the amount of any fine, by taking into account:
-
- its nature, gravity and duration1;
- whether it was intentional or negligent2; and
- the categories of personal data affected3.
The ICO will then categorise the infringement according to its degree of seriousness and apply a starting point based on a percentage of the relevant applicable statutory maximum.
Summary of responses
One respondent suggested that the Fining Guidance could make it difficult for large companies operating in markets that involve the innovative use of data to avoid any infringement being regarded as serious because of the nature of the processing and the likelihood a large number of users would be affected.
Another respondent suggested that the ICO should, where relevant, consider processing that is in the public interest or in the exercise of fundamental rights as a factor reducing the seriousness of an infringement.
One of the respondents stated that the wording of paragraph 65 of the draft Fining Guidance indicated that the ICO is likely to conclude that any circumstances in which senior management authorises unlawful processing constitutes an intentional infringement, irrespective of senior management’s awareness of the unlawfulness.
Respondents also commented that the third bullet point of paragraph 67 of the Fining Guidance, could lead to the ICO equating human error with negligence, and requested that this be clarified.
Some respondents noted that a number of the factors to be taken into consideration appeared to involve duplication and that taking an approach that involves consideration of seriousness before assessing aggravating and mitigating factors could cause confusion. They were concerned this could result in additional weight being afforded to some factors in the assessment of seriousness or mean that the full range of factors are not considered in a holistic way.
ICO response
Overall, we consider that the Fining Guidance is clear that the ICO takes into account a range of factors when deciding on the seriousness of an infringement. The individual circumstances of each case will determine what weight to give to each factor. We also consider that it follows from the way the UK GDPR is drafted that an infringement arising from processing by a large organisation involving new technology in a way that involves a high risk to a large number of data subjects (eg because of a failure to ensure appropriate safeguards are in in place) may be considered to be serious. This is a natural conclusion to draw from the legislation. However, this is a matter to be considered on a case-by-case basis and the ICO would take into account any evidence that, despite the infringement, there were limited effects on data subjects.
Similarly, the guidance is intended to be clear that human error does not automatically equate to a finding of negligence. Human error is cited as relevant evidence to be considered in determining that question, particularly where the person involved has not received adequate training. Likewise, the reference to senior management authorising the unlawful processing is made within the context of explaining the types of evidence that would be considered by the ICO in deciding whether an infringement has been committed intentionally or negligently. In the light of the comments received, the ICO has amended the guidance to emphasise that the assessment of intent or negligence requires taking into account the individual circumstances of each case. The amendments make it clear that the evidence cited is by way of example (rather than being determinative of what constitutes intention or negligence).
While it is a fair comment that the process of assessing the various factors involves a degree of repetition, this reflects the way the legislation is drafted and the fact that the ICO needs to consider all the relevant factors, both when: (i) deciding whether to impose a fine and (ii) determining the amount of the fine.
We consider that the approach set out in the Fining Guidance is logical. Some of the factors clearly lend themselves to an assessment of seriousness of the infringement, whereas others are more clearly aggravating or mitigating factors. However, we also emphasise throughout the guidance that the ICO will take a holistic view when deciding on whether to impose a fine and the amount of any fine, taking into account all the factors in the round.
1 Article 83(2)(a) UK GDPR or section 155(3)(a) DPA 2018.
2 Article 83(2)(b) UK GDPR or section 155(3)(b) DPA 2018.
3 Article 83(2)(g) UK GDPR or section 155(3)(g) DPA 2018.