Home General News
Fines of up to £500,000 for Serious Data Protection Breaches 
New powers, designed to deter personal data security breaches, are expected to come into force on 6 April 2010. The Information Commissioner’s Office (ICO) will be able to order organisations to pay up to £500,000 as a penalty for serious breaches of the Data Protection Act.
When serving monetary penalties, the Information Commissioner will carefully consider the circumstances, including the seriousness of the data breach; the likelihood of substantial damage and distress to individuals; whether the breach was deliberate or negligent and what reasonable steps the organisation has taken to prevent breaches.
In guidance from the Information Commissioner’s Office, ‘reasonable steps’ have been defined as:
- A risk assessment has been carried out or there is other evidence (such as appropriate policies, procedures, practices or processes in place or advice and guidance given to staff) that the data controller had recognised the risks of handling personal data and taken steps to address them;
- The data controller had good governance and/or audit arrangements in place to establish clear lines of responsibility for preventing contraventions of the Data Protection Act;
- The data controller had appropriate policies, procedures, practices or processes in place and they were relevant to the contravention, for example, a policy to encrypt all laptops and removable media in relation to the loss of a laptop by an employee of the data controller;
- Guidance or codes of practice published by the Commissioner or others and relevant to the contravention were implemented by the data controller.
The guidance in full is available on the Information Commissioner’s website.
Posted 4 February 2010