Whilst it was expected that criminal charges would be laid against the directors of companies in serious breach of the Act, the hefty fines now available are expected to reiterate that the ICO's office will no longer tolerate such losses.
The new rules were laid before Parliament yesterday and have been approved by Jack Straw MP, Secretary of State for Justice.
When serving monetary penalties, the plan is for the information commissioner to carefully consider the circumstances – "including the seriousness of the data breach; the likelihood of substantial damage and distress to individuals; whether the breach was deliberate or negligent and what reasonable steps the organisation has taken to prevent breaches."
According to Christopher Graham, the information commissioner, getting data protection right has never been more important than it is today.
"As citizens, we are increasingly asked to complete transactions online, with the state, banks and other organisations using huge databases to store our personal details. When things go wrong, a security breach can cause real harm and great distress to thousands of people", he said.
"These penalties are designed to act as a deterrent and to promote compliance with the Data Protection Act. I remain committed to working with voluntary, public and private bodies to help them stick to the rules and comply with the Act. But I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law", he added.
Graham went on to say that, as commissioner, he will take a pragmatic and proportionate approach to issuing an organisation with a monetary penalty.
"Factors will be taken into account including an organisation's financial resources, sector, size and the severity of the data breach, to ensure that undue financial hardship is not imposed on an organisation."
"The power to impose a monetary penalty notice is designed to deal with serious breaches of the Data Protection Act and is part of the ICO's overall regulatory toolkit which includes the power to serve an enforcement notice and the power to prosecute those involved in the unlawful trade in confidential personal data."
Plans call for individual cases to also be assessed on whether the breach was accidental or deliberate, and how much distress the leak of information caused.
Further details of the the guidance can be downloaded from the main ICO website.
Comments
Courion says:
19 January 2010
Resorting to punitive measures, such as fines, represents a sad day in the history of information security. Alas, the repeated examples of lax corporate and public sector security awareness and compliance have made it an unfortunate necessity.
Lax data security processes are not confined to the private sector. TK Maxx, Nationwide Building Society and Cotton Traders are just a few examples of enterprises that have suffered a data loss or theft, but can immediately be matched by failures within the public sector at HM Revenue and Customs, the NHS, the Ministry of Defence, to name just three.
Increased regulation and public expectation over the safety of data poses challenges for the IT department and for those responsible for security policy and training. These challenges are amplified by the real threat of a large fine or other legal sanctions. Some businesses, particularly in vertical sectors such as financial services that are already heavily regulated in relation to data protection, often find themselves struggling to stay on top of the latest regulations and requirements.
Failure to stay on top of these rapidly evolving legal requirements can quickly develop into malaise, and this is where security problems occur. The sizable fines the Information Commissioner’s Office can now impose will hopefully deter organisations of all types from falling behind on data security.
However, if past instances of data loss and theft teach us anything, it is that regulation alone will not solve the problem. Such measures must be aligned with an overall government effort to encourage and build a culture of security best practice and common sense, underpinned by solid technologies that can deliver the level of security required by law and able to cope with emerging threats and the changing ways in which we work.
Stuart Hodkinson, UK general manager, Courion
Note: The majority of comments posted are created by members of the
public. The views expressed are theirs and unless specifically stated are not those
Elsevier Ltd. We are not responsible for any content posted by members of the public
or content of any third party sites that are accessible through this site. Any links
to third party websites from this website do not amount to any endorsement of that
site by the Elsevier Ltd and any use of that site by you is at your own risk. For
further information, please refer to our Terms & Conditions.
Comment on this article
You must be registered and logged in to leave a comment
about this article.