The Information Commissioner's Office (ICO) has new powers which are designed to deter personal data security and other breaches. The new powers come into force during this year.
Under the first of the new powers which will come into force on 6 April 2010, the ICO will be able to order organisations to pay penalties of up to £500,000 for serious breaches of the data protection principles enshrined in the Data Protection Act 1998 (DPA) which may cause damage or distress to data subjects. In deciding whether or not to impose the full £500,000 penalty, the ICO will assess breaches according to various criteria, including the seriousness of the breach; the likelihood of significant damage and distress to affected individuals; whether the breach was deliberate or negligent; and what action the organisation had taken to prevent breaches.
An organisation will have the opportunity to respond to a notice of intent from the ICO to issue a monetary penalty notice. If, after considering the response, the ICO decides to impose a penalty, the organisation can get a 20 per cent discount by paying in full within 28 days of the monetary penalty notice.
The second of the new powers is currently undergoing consultation and concerns the introduction of a custodial sentence for the offence under section 55 of the DPA of knowingly or recklessly obtaining or disclosing personal data. Although the maximum sentence is yet to be confirmed, it is expected to be up to two years on indictment.
In addition, the ICO has been granted new statutory powers to audit government departments without consent under the Coroners and Justice Act 2009. There is scope under this Act for the power of audit to be extended to public authorities and certain private sector data controllers.
The extension to the ICO's powers of enforcement comes after the tariffs for registration with the ICO were increased, in part to give the ICO a 'war chest' enabling it to take much more action than in the past in relation to privacy breaches. It shows that the Government is taking data protection much more seriously, no doubt in response to widespread disquiet about extensive and repeated data losses and breaches by public and private bodies.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.