Fines of up to £500,000 for UK Data Protection Act Breaches

12/01/2010

We thought you might like to know that today the Government:

  •  Laid new civil monetary framework regulations before Parliament to bring into force penalties of up to £500,000 ($800,000) for serious contraventions of the Data Protection Act 1998 (including data security breaches); and
  • Published its response to the public consultation on ‘Civil Monetary Penalties – Setting the Maximum Penalty’ (available on the Ministry's website) showing that the majority of respondents supported the proposed new penalties.

Assuming Parliamentary approval, these penalties will take effect from 6 April 2010

In the Department’s response to the Consultation, the Justice Minister noted that:

  •  Civil Monetary Penalties of up to half a million pounds will ensure that the Information Commissioner is able to impose robust sanctions on those who commit serious contraventions of the data protection principle
  •  Most data controllers do comply with the principles but since misuse of even small amounts of personal data can have very serious consequences, it is vital that we do all that we can to prevent non-compliance. Penalties of up to £500,000 will act as a strong deterrent.

The Information Commissioner has previously made public his intent to adopt a pragmatic and proportionate approach to issuing these monetary penalties, taking into account the organisation’s size, financial resources and industry sector, as well as the severity of the breach.  He has, however, clearly stated “I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law”.  Draft guidance setting out how the ICO’s new power will work is set out at the Commissioner's website

What should you do about this?

  1. Review your Organisation’s data protection compliance in light of the increased risks of a £500,000 potential penalty for breach of the UK Act
  2. Ensure it is understood at a senior level in your Organisation that data protection must be taken seriously and perhaps moved up the compliance agenda given the April 2010 deadline
  3. Make necessary changes to your data protection policies and procedures to ensure these comprehensively cover all your data processing activities
  4. Carry out staff data protection awareness training

Please don’t hesitate to contact us if you have any queries or concerns. We are always happy to help!

Contact us for more information

Share this article