The penalties are required under the Data Protection Law (DPL), which grants the ombudsman the power to issue monetary penalty orders of up to $250,000, in cases where there has been a serious contravention of the DPL, which was of a kind likely to cause substantial damage or distress to an individual.

Before issuing a monetary penalty, the ombudsman must give the data controller the opportunity to present any factors that affect the order or the penalty amount, stated a press release from the Office of the Ombudsman.

Once the representations have been received, the ombudsman decides whether to issue a monetary penalty order and, if so, in what amount.

The guidance identifies circumstances when the ombudsman considers it appropriate to issue a monetary penalty order, including factors that would make the imposition of a monetary penalty more or less likely. For instance, a monetary penalty is more likely if the infringement was considered intentional or negligent.

The guidance also includes factors that will help determine the amount of any penalty, such as whether the contravention was a ‘one-off’ event or whether steps were taken to avoid the infraction, e.g. through staff training.

The Data Protection Law, which came into force 30 Sept. 2019, provides the statutory framework for the way personal information is used by businesses, organisations and public authorities. It also grants rights to individuals in relation to their data. The Office of the Ombudsman is tasked with oversight and enforcement, and individuals have the right to complain to the ombudsman if they believe their data is not being processed in accordance with the new law.