"The Information Commissioner’s Office (ICO) will be able to order organisations to pay up to £500,000 as a penalty for serious breaches of the Data Protection Act," said an ICO statement. "The ICO has produced statutory guidance about how it proposes to use this new power, which has been approved by the Secretary of State for Justice, and has been laid before Parliament today."
The ICO has campaigned for a number of years for increased powers to enforce the Data Protection Act. As well as increased fines it has asked for the Government to introduce jail terms for those who trade in personal information.
A consultation on jail terms closed last week and the Government is still considering what action to take, an ICO spokeswoman said.
The ICO has long expressed concerns both about organisations which fail to take sufficient care when processing personal data and about unscrupulous traders who 'scam' their way into systems and sell the personal information they find there.
"Getting data protection right has never been more important than it is today. As citizens, we are increasingly asked to complete transactions online, with the state, banks and other organisations using huge databases to store our personal details," said Information Commissioner Christopher Graham. "When things go wrong, a security breach can cause real harm and great distress to thousands of people."
"These penalties are designed to act as a deterrent and to promote compliance with the Data Protection Act. I remain committed to working with voluntary, public and private bodies to help them stick to the rules and comply with the Act. But I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law," he said.
The ICO said that it would assess breaches according to various criteria when deciding whether or not to impose the full £500,000 penalty. These include:
- the seriousness of the breach;
- the likelihood of damage and distress to those affected;
- whether the breach was deliberate;
- whether it was negligent; and
- what action the organisation had taken to protect information.
"The Information Commissioner will take a pragmatic and proportionate approach to issuing an organisation with a monetary penalty," the ICO statement said. "Factors will be taken into account including an organisation’s financial resources, sector, size and the severity of the data breach, to ensure that undue financial hardship is not imposed on an organisation."
The consultation leading to the Government's decision on penalties said that it had considered but rejected a penalty system based on the turnover of an organisation.
"Following discussion with the ICO and consideration of the greater administrative burden involved in operating a turnover-based system, we are consulting only on a fixed maximum amount," says the consultation paper. "However, we consider it desirable that the maximum amount of the penalty should not be higher than the equivalent of 10% of the highest annual turnover of a small company."
That limit is not contained in the ICO's guidance on the new fines, which instead says: "The Commissioner will take into account any proof of genuine financial hardship which may be supplied. The purpose of a monetary penalty notice is not to impose undue financial hardship on an otherwise responsible data controller. In appropriate cases the Commissioner will adjust the monetary penalty where, for example, a data controller made a loss in the previous year".