If an employer contravenes the data protection principles and an individual suffers damage or damage and distress as a result, he or she can apply to a court for compensation. (Compensation is not available if the individual suffers only distress.) The employer has a defence to the claim if it can show that it took such care as was reasonable in all the circumstances to comply with the Act.
A court can also order an employer to correct, block, erase or destroy information that is inaccurate, or which contains an expression of opinion that is based on inaccurate information. An order of this type can also be made if the individual has suffered damage because the employer has failed to comply with the data protection principles and the court considers that there is a substantial risk that further contraventions of the Act will occur.
An individual may also ask the Information Commissioner to assess whether the employer is complying with the Act. Depending on the result of that assessment, the Commissioner may decide to bring enforcement action against the employer. The Commissioner has the power to serve an enforcement notice on an employer, requiring it to comply with the Act. Failure to comply with an enforcement notice is a criminal offence, unless the employer can show that it exercised all due care to comply.