By Nick Heath, 12 November 2009 16:10
NEWS
Organisations that lose individuals' data could face a fine of up to £500,000 under proposals being considered by the government.
From next year, the privacy watchdog the Information Commissioner's Office (ICO) will be able to fine companies that recklessly or maliciously breach the Data Protection Act (DPA). The Ministry of Justice yesterday launched a public consultation on the maximum amount such fines can run to - a figure it proposes should be set at £500,000.
In its consultation document the MoJ said it chose £500,000 because it did not want the penalty to be more than "10 per cent of the highest annual turnover of a small company".
As well as being imposed for malicious or reckless breaches of the DPA, the fine could also be used by the ICO against companies who have:
- Stored or processed personal data in a country outside of Europe that does not have adequate data protection legislation
- Kept data for longer than is necessary for the organisation
- Obtained personal data unlawfully
- Accidentally deleted that data
Under the ICO's current powers, the strongest sanction the watchdog has against organisations that lose data is to serve it with an enforcement notice requiring it to improve data security or face legal action.
Deputy information commissioner, David Smith, welcomed the ICO's new powers and said they would help stop more breaches from occurring.
"We are keen to encourage organisations to achieve better data protection compliance and we expect that the prospect of a significant fine for reckless or deliberate data breaches will focus minds at board level," he said in a statement.
The announcement coincides with the latest ICO figures showing that 711 businesses, government bodies and charities have suffered data security breaches over the past two years.
Companies that are reckless with personal data could face a £500,000 fine from the Information Commissioner's Office
(Photo credit: swanksalot via Flickr under the following Creative Commons Licence)
Of these organisations more than 200 were private companies and 209 were NHS health trusts and bodies.
Earlier this year the high level of losses among NHS trusts prompted the ICO to write to the Department of Health warning it needed to improve data security at health trusts.
Comments
There are 3 comments. Join the discussion
1. askJacky,noaskPostmanPrat
I trust that this fine will also apply to all govt depts/quangos/local authorities as they are the greatesy offenders? Thought not! One rule for them, another for the voters.
2. drew stephenson
The problem with this is that the biggest offenders are government institutions. So if they are fined all that happens is that amount of money is removed from the budget that the department uses to fund the services it's supposed to provide.
The only people who win out of this are the lawyers lunching on the appeals process.
3. Barry Mattacott
Pointless and toothless all in one package.
MOST of the data losers are gov depts. the only thing they care less about than the confidentuality of data, is spending the tax payer's money. it will not make any differance to them if their dept is fined for data loss.
The ONLY way to make this work is to make company directors AND CIVIL SERVANTS personally responsible for the data loss from their organisations.