Teal blue graphic

Summary convictions under the DPA may now be punishable by an unlimited fine

With effect from 12 March 2015, summary convictions under the Data Protection Act 1998 (DPA) may be punishable by an unlimited fine. 


Prior to the commencement of certain provisions in the Legal Aid, Sentencing and Punishment of Offenders Act 2012 on 12 March 2015, there was a cap of £5,000 on fines in magistrates' courts for summary offences, including summary offences under the DPA. 

Under the DPA, ‘data controllers’ and others can be convicted of certain offences liable to either summary conviction or conviction on indictment. Data controllers are those who determine the purpose for, or manner of, processing personal data. ‘Personal data’ is data relating to individuals by which those individuals could be identified. 

Offences under the DPA

A data controller may commit an offence if:

  • it does not notify the Information Commissioner of any changes to the information it must register with the Commissioner; or
  • it fails to comply with a notice from the Commissioner or knowingly makes a false statement in its response to an information notice.

In addition, if an individual or a company is not a data controller in respect of personal information, but he/she or a company employee knowingly or recklessly obtains or discloses personal data without the consent of the ‘data controller’, then the individual or the company will also commit an offence.

It is important to note that:

  • directors and other officers of companies which commit offences are open to prosecution. If an offence by a company is proved to have been committed with the “consent or connivance of, or to be attributable to any neglect” on the part of, the officer concerned, or a member where a company is managed by its members, that officer or member will be guilty of the offence (in addition to the company); and
  • the Seventh Data Protection Principle requires a ‘data controller’ to set up appropriate technical and organisational security measures to prevent, amongst other things, unauthorised or unlawful processing of personal data. A breach of this duty by an employee could result in an enforcement notice from the Information Commissioner. Failure to comply with such a notice would constitute an offence. 

What are the implications?

The change means that an unlimited fine could be now imposed by a bench of lay justices for more minor offences. It is therefore harder for companies to choose the risk of paying a fine against the cost of implementing correct procedure, knowing that the penalty for breach could now be an unlimited sum. The intended outcome is that companies will be more likely to choose to invest in data protection measures. 

It remains to be seen whether or to what extent magistrates will have the confidence or inclination to make use of this new power. Given that it was already the case that, if convicted on indictment in a Crown Court, the offender was exposed to an unlimited fine, it is possible that magistrates may choose to use the old £5,000 cap as a rule of thumb.

However, the best way to manage the risk is to avoid a breach of the DPA in the first instance. Companies should have clear procedures and policies in place for recognising and handling personal data and for any consequential complaints.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at May 2015. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.
TLT LLP is a limited liability partnership registered in England & Wales number OC 308658 whose registered office is at One Redcliff Street, Bristol BS1 6TP England. A list of members (all of whom are solicitors or lawyers) can be inspected by visiting the People section of this website. TLT LLP is authorised and regulated by the Solicitors Regulation Authority under number 406297.

Insights & events View all