UK data losses will now result in half a million pound penalties

Whilst it was expected that criminal charges would be laid against the directors of companies in serious breach of the Act, the hefty fines now available are expected to reiterate that the ICO's office will no longer tolerate such losses.

The new rules were laid before Parliament yesterday and have been approved by Jack Straw MP, Secretary of State for Justice.

When serving monetary penalties, the plan is for the information commissioner to carefully consider the circumstances –  "including the seriousness of the data breach; the likelihood of substantial damage and distress to individuals; whether the breach was deliberate or negligent and what reasonable steps the organisation has taken to prevent breaches."

According to Christopher Graham, the information commissioner, getting data protection right has never been more important than it is today.

"As citizens, we are increasingly asked to complete transactions online, with the state, banks and other organisations using huge databases to store our personal details. When things go wrong, a security breach can cause real harm and great distress to thousands of people", he said.

"These penalties are designed to act as a deterrent and to promote compliance with the Data Protection Act. I remain committed to working with voluntary, public and private bodies to help them stick to the rules and comply with the Act. But I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law", he added.

Graham went on to say that, as commissioner, he will take a pragmatic and proportionate approach to issuing an organisation with a monetary penalty.

"Factors will be taken into account including an organisation's financial resources, sector, size and the severity of the data breach, to ensure that undue financial hardship is not imposed on an organisation."

"The power to impose a monetary penalty notice is designed to deal with serious breaches of the Data Protection Act and is part of the ICO's overall regulatory toolkit which includes the power to serve an enforcement notice and the power to prosecute those involved in the unlawful trade in confidential personal data."

Plans call for individual cases to also be assessed on whether the breach was accidental or deliberate, and how much distress the leak of information caused.

Further details of the the guidance can be downloaded from the main ICO website.


What’s hot on Infosecurity Magazine?