Leicester:0116 255 1811
Coalville:01530 835 041
Blaby:0116 264 3430
Join our mailing list:
New Penalties for Serious Data Protection Breaches
New powers, designed to prevent serious breaches of personal data security, are due to come into force on 6 April 2010. The Information Commissioner’s Office (ICO) will be able to order organisations to pay up to £500,000 as a penalty for serious breaches of one or more of the eight principles in the Data Protection Act 1998 (DPA).
When serving monetary penalties, the Information Commissioner will take into account the circumstances surrounding the failure to comply with the DPA, including:
the seriousness of the data protection breach;
the likelihood of substantial damage and distress to individuals;
whether the breach was deliberate or negligent; and
what reasonable steps the organisation has taken to prevent breaches.
Factors to be taken into account when determining the level of the fine will include the type of organisation, its financial resources and the size and severity of the data breach, so that undue financial hardship is not imposed on the organisation.
Statutory guidance on how the ICO will use this new power can be found at
http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/ico_guidance_monetary_penalties.pdf.
Information Commissioner Christopher Graham said, “Getting data protection right has never been more important than it is today. As citizens, we are increasingly asked to complete transactions online, with the state, banks and other organisations using huge databases to store our personal details. When things go wrong, a security breach can cause real harm and great distress to thousands of people. These penalties are designed to act as a deterrent and to promote compliance with the DPA.”
In addition to these new powers, the Ministry of Justice has carried out a consultation on exercising the power to provide for custodial sanctions for those found guilty of knowingly or recklessly obtaining, disclosing or procuring the disclosure of personal data, without the consent of the data controller, and of selling or offering to sell personal data that has been obtained unlawfully. These are all offences under Section 55 of the DPA.
However, the proposals make it clear that the Government does not wish to prevent legitimate investigative journalism and there is therefore a proposal to commence, simultaneously, a new defence under Section 55 relating to the purposes of journalism, art and literature.