"The Information Commissioner’s Office (ICO) will be able to
order organisations to pay up to £500,000 as a penalty for serious
breaches of the Data Protection Act," said an ICO statement. "The
ICO has produced statutory guidance about how it proposes to use
this new power, which has been approved by the Secretary of State
for Justice, and has been laid before Parliament today."
The ICO has campaigned for a number of years for increased
powers to enforce the Data Protection Act. As well as increased
fines it has asked for the Government to introduce jail terms for
those who trade in personal information.
A consultation on jail terms closed last week and the Government
is still considering what action to take, an ICO spokeswoman
said.
The ICO has long expressed concerns both about organisations
which fail to take sufficient care when processing personal data
and about unscrupulous traders who 'scam' their way into systems
and sell the personal information they find there.
"Getting data protection right has never been more important
than it is today. As citizens, we are increasingly asked to
complete transactions online, with the state, banks and other
organisations using huge databases to store our personal details,"
said Information Commissioner Christopher Graham. "When things go
wrong, a security breach can cause real harm and great distress to
thousands of people."
"These penalties are designed to act as a deterrent and to
promote compliance with the Data Protection Act. I remain committed
to working with voluntary, public and private bodies to help them
stick to the rules and comply with the Act. But I will not
hesitate to use these tough new sanctions for the most serious
cases where organisations disregard the law," he said.
The ICO said that it would assess breaches according to various
criteria when deciding whether or not to impose the full £500,000
penalty. These include:
- the seriousness of the breach;
- the likelihood of damage and distress to those affected;
- whether the breach was deliberate;
- whether it was negligent; and
- what action the organisation had taken to protect
information.
"The Information Commissioner will take a pragmatic and
proportionate approach to issuing an organisation with a monetary
penalty," the ICO statement said. "Factors will be taken into
account including an organisation’s financial resources, sector,
size and the severity of the data breach, to ensure that undue
financial hardship is not imposed on an organisation."
The consultation leading to the Government's decision on
penalties said that it had considered but rejected a penalty system
based on the turnover of an organisation.
"Following discussion with the ICO and consideration of the
greater administrative burden involved in operating a
turnover-based system, we are consulting only on a fixed maximum
amount," says the consultation paper. "However, we consider it
desirable that the maximum amount of the penalty should not be
higher than the equivalent of 10% of the highest annual turnover of
a small company."
That limit is not contained in the ICO's guidance on the new
fines, which instead says: "The Commissioner will take into account
any proof of genuine financial hardship which may be supplied. The
purpose of a monetary penalty notice is not to impose undue
financial hardship on an otherwise responsible data controller. In
appropriate cases the Commissioner will adjust the monetary penalty
where, for example, a data controller made a loss in the previous
year".
Disclaimer: We hope you find OUT-LAW’s content useful. It’s prepared by the lawyers at Pinsent Masons. Please remember, though, that it’s intended as general information only. It’s not legal advice. If that’s what you’re seeking, please
contact us. See also: our
full disclaimer
