A data protection specialist at Nelsons warns that from 6th April 2010, the Information Commissioner’s Office (ICO) will have new powers to fine organisations up to £500,000 for serious breaches of the Data Protection Act (DPA).
Commenting, Karen Harrison, a partner in the Commerce & Technology team says: "The new powers are primarily designed to deter personal data security breaches and promote greater compliance of the Data Protection Act, but the ICO has said it will not hesitate in using monetary penalty sanctions for the most serious cases where organisations deliberately breach the law, are negligent or fail to take reasonable steps to prevent breaches. In particular, organisations who fail to report data security breaches will face tougher action by the privacy watchdog."
According to Karen, the ICO will impose a monetary penalty if it is satisfied that there has been a serious contravention of the data protection principles, and that the contravention was of a kind likely to cause substantial distress or damage. She continues: "Factors which make the imposition of a monetary penalty more likely are:
- the seriousness of the contravention;
- the nature of the personal data involved;
- the duration and extent of the contravention;
- the number of individuals affected;
- if the damage is financially quantifiable;
- if the organisation failed to carry out any risk assessment; and
- if the contravention was deliberate or premeditated.
"Equally, if the data controller was aware of and did not follow relevant guidance published by the ICO, or if there was a similar series of contraventions and the data controller did not take steps to rectify the cause, the organisation is more likely to face a monetary penalty.
"The ICO will, however, take a proportionate approach to issuing an organisation with a penalty or enforcement notice. Financial resources, sector, size and the severity of the data breach will all be factors taken in account in order to ensure that undue financial hardship is not imposed on an organisation."
Under the DPA, any business which processes personal information must comply with the eight Data Protection Principles which require that personal data is:
- fairly and lawfully processed;
- processed for limited purposes;
- adequate, relevant and not excessive;
- accurate and up to date;
- not kept for longer than necessary;
- processed in line with an individual’s rights;
- kept secure; and
- not transferred to other countries without adequate protection.
Karen concludes: "With more than 800 data security breaches reported to the ICO since January 2008, of which 195 were due to mistakes and 262 from theft, the problem is serious. Organisations need to comply with the law, ensuring that they carry out appropriate risk assessments, audits, have adequate procedures and policies in place, have clear lines of accountability and adequately train their staff."
The new powers are inserted into section 55 of the DPA by section 144 of the Criminal Justice and Immigration Act (CJ1A). The ICO has produced statutory guidance for businesses about how it proposes to use the new powers. For more information or advice on how to comply with the DPA, contact Karen Harrison at Nelsons on 0115 851 1286 or by email at karen.harrison@nelsonslaw.co.uk