News

The Ombudsman has issued Guidance on Monetary Penalty Orders (MPO) after consultation with Cabinet, as required under the Data Protection Law (DPL).

The DPL grants the Ombudsman the power to issue an MPO up to $250,000, in cases where there has been a serious contravention of the DPL, and the contravention was of a kind likely to cause substantial damage or substantial distress to an individual.

Before issuing an MPO, the Ombudsman is required to provide the data controller with an opportunity to make representations on any factors militating in favour or against an MPO, and on the amount of the penalty. Once the representations have been received, the Ombudsman decides whether to issue a monetary penalty order and, if so, in what amount

The Guidance identifies circumstances in which the Ombudsman considers it appropriate to issue an MPO, including factors that would make the imposition of a monetary penalty more likely, and factors that would make it less likely. For instance, a monetary penalty is more likely if the infringement was intentional or negligent in character.

The Guidance also includes factors that will help determine the amount of any penalty. These include whether the contravention was a “one-off” event, and whether steps were taken to avoid the infraction, e.g. through staff training.

The DPL provides the statutory framework for use of personal information by businesses, organizations and public authorities. It also grants rights to individuals in relation to their data. The Law came into force on 30 September 2019. The Office of the Ombudsman is tasked with oversight and enforcement, and individuals have the right to complain to the Ombudsman if they believe their data is not being processed in accordance with the new law.

More information including a copy of the Guidance on Monetary Penalty Orders is available on the website of the Office of the Ombudsman: https://www.ombudsman.ky/resources