• home
• about us
  • About Shoosmiths
  • Awards we've won
  • Corporate responsibility
  • Diversity
  • Facts & Figures
  • Legal and regulatory
  • Office Information
  • Our culture
  • Way we work with clients
• services
  • In-house legal services
  • Services for business
  • Services for you
  • Services A to Z
  • Services for your industry
• news & events
  • Press releases
  • Legal updates
  • Events
  • RSS feeds / twitter
  • Media contact information
• careers
  • Professional recruitment
  • Graduate recruitment
• contact us
  • People search
  • Office information
  • Contact us

Home | News & events | Legal updates | Data protection breaches could attract fines of up to £500,000

Data protection breaches could attract fines of up to £500,000

16 November 2009

The Ministry of Justice has issued a consultation paper proposing maximum fines of £500,000 for serious and reckless breaches of the Data Protection Act 1998.

It follows legislation enacted in 2008 giving the Information Commissioner the power to impose fines on data controllers.

Background

Since 25m child benefit records were lost two years ago, the number of security breaches being reported appears to be growing year on year.

The Information Commissioner’s Office (ICO) recently said ‘unacceptable amounts of data are being stolen, lost in transit or mislaid by staff’ and that ‘far too much personal data is still being unnecessarily downloaded from secure servers on to unencrypted laptops, USB sticks and other portable media’.

Up until now, the ICO has had limited powers of enforcement that arguably did little to deter organisations from breaching the Data Protection Act.

However, the Criminal Justice and Immigration Act 2008 included a new power for the ICO to impose fines for serious breaches of the Act likely to cause substantial damage or distress, and which are committed deliberately or recklessly. The introduction of the new power was delayed pending decisions on practical implementation, including the maximum level of fines.

Development

Unless changes are made as a result of the current consultation, then the ICO will have the power to impose fines up to a maximum of £500,000. It is envisaged that the new power will be effective from April 2010.

The ICO will have the right to exercise a discretion to ensure that a ‘proportionate sanction’ is applied in every case, taking into account the seriousness of the breach and the resources available to the data controller.

It is clear, though, that the ICO intends to take action in order to reduce the frequency with which serious data protection breaches are taking place.

The ICO hopes that its new powers will ‘help focus minds at Board level to improve security’.  Although data security issues are high on the ICO’s agenda in the light of recent high-profile data losses, data controllers should be aware that the fines can be imposed in relation to serious breaches of any of the eight principles set out in the Act.

Next steps

The consultation period is due to end on 21 December 2009, at which time the level of fine will be confirmed. Organisations should review their data protection compliance to reduce the risk of exposure to these new penalties.

© Shoosmiths. This page is for general information: it is not legal advice. Please read our full terms and conditions for details of the disclaimers and exclusions which apply.

Search the site

Enter the keywords below to search:

Get in touch

Aisling Duffy

Solicitor
T: 03700 86 5089
I: +44 (0)115 906 5089
E: aisling.duffy@shoosmiths.co.uk