ACS Law fact sheet

• Mr Crossley was served with a monetary penalty for a serious

breach of the Data Protection Act - the law the ICO is
responsible for regulating. The ICO’s remit does not cover
looking into an individual’s more general business practices.

• The power to impose a civil monetary penalty is as set out in

the Data Protection Act and the statutory guidance is set out
in Guidance about the issue of monetary penalties.

• Although the breach itself and the number of people affected

was taken into account, the primary reason Mr Crossley was
issued with a monetary penalty was because he did not have
adequate systems and procedures in place to keep personal
data secure. The data was also sensitive in its nature and its
disclosure was of a kind likely to cause substantial distress.

• Victims of the data breach are entitled to claim compensation

under the Data Protection Act but this right can only be
enforced by the victims themselves through the courts. The
ICO penalty notices will though assist any victims who want to
take such action. You can find out more on how to do this on
our website at:
http://www.ico.gov.uk/upload/documents/library/data_protec
tion/practical_application/claiming_compensation_2.0.pdf

• The penalty is not kept by the Commissioner and, whatever

its level, it can not be used to provide redress for individuals.
It must be paid into the HM Treasury’s Consolidated Fund.

• The Commissioner cannot impose a monetary penalty on an

individual without taking proper account of that individual’s
financial circumstances. The guidelines he must follow when
deciding the amount of a monetary penalty – which have
been approved by Parliament – clearly state that the likely
impact on an individual must be taken into account. The
guidelines make clear that the purpose of a penalty is not to
impose undue financial hardship and that the Commissioner
will take into account any proof of genuine financial hardship
which may be supplied. In this case Mr Crossley provided the
Commissioner with a sworn statement verifying his means.

• After receiving written representations and a sworn statement

from Mr Crossley verifying his means the Commissioner had
no legal power to inquire further.
• The Commissioner must act within the provisions of the Data
Protection Act. His decisions are subject to appeal. He may
have to justify his decision making and, in particular, the
amount of a monetary penalty, to the Court or Tribunal.

• A monetary penalty is not the same as a fine imposed by the

courts for a criminal offence. It is a civil debt that would be
taken into account in any bankruptcy proceedings and does
not take precedence over other civil debts an individual might
have. It would clearly be wrong of the Commissioner to
impose a penalty that he knew could not realistically be paid.
Doing so would, amongst other things, have the potential to
take money away from other legitimate creditors.

• The ICO’s detailed investigation into the security breach took

some time to complete and the legal process that followed
further delayed this matter. However, even if ACS Law had
still been trading its financial situation following the cyber
attack would also have been taken into account by the
Commissioner in accordance with the guidelines referred to
above. Therefore Mr Crossley trading as ACS Law might still
have received a substantially reduced monetary penalty.
There was therefore no incentive on Mr Crossley to close his
business simply to avoid a higher penalty. Mr Crossley was a
sole proprietor of ACS Law and personally liable to pay the
monetary penalty in any event.