ICO to fine companies for DPA breaches

christopher-graham

Companies in serious breach of the Data Protection Act are facing fines of up to £500,000 from the Information Commissioner's Office (ICO).

The new powers follow the publication of a six-week public consultation, run by the Ministry of Justice (MoJ) at the end of 2009, into setting financial penalties for serious breaches of the DPA.

The number of data breaches reported to the ICO in the past two years soared. Richard Thomas, the previous Information Commissioner, called for stronger powers back in 2007 when he said that “the number of data breaches brought out our attention is serious and worrying”.

According to the MoJ, last year’s consultation showed that the majority of the respondents supported the proposal to allow the ICO to fine those who, either deliberatively or knowingly, seriously contravene the data protection principles up to £500,000.

The new Civil Monetary Penalties legislation will form a new part of the ICO’s overall regulatory toolkit; this also includes the power to serve an enforcement notice and the power to prosecute those involved in the unlawful trade in confidential personal data.

Justice minister Michael Wills said: “… misuse of even small amounts of personal data can have very serious consequences, it is vital that we do all that we can to prevent non-compliance. Penalties of up to £500,000 will act as a strong deterrent.”

The ICO said before fining a company, it will carefully consider the circumstances, including the seriousness of the data breach; the likelihood of substantial damage and distress to individuals; whether the breach was deliberate or negligent and what reasonable steps the organisation has taken to prevent breaches.

It will also take “a pragmatic and proportionate approach” when issuing an organisation with a monetary penalty. Factors that will be taken into account include an organisation’s financial resources, sector, size and the severity of the data breach, to ensure that undue financial hardship is not imposed.

Information Commissioner Christopher Graham said: “Getting data protection right has never been more important than it is today.

"I remain committed to working with voluntary, public and private bodies to help them stick to the rules and comply with the Act.

"But I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law.”

The ICO has produced statutory guidance about how it proposes to use this new power, which has been approved by the Secretary of State for Justice.

The new Civil Monetary Penalties regulations have been put before Parliament today and if approved are expected to come into force on 6 April.