On 6 April 2010, the Information Commissioner's Office ("ICO") acquired significant new powers to fine Data Controllers that fail to protect personal data up to £500,000.

Data controllers are organisations that collect data that can be used to identify individuals and determine the purposes for, and the manner in which, such information is processed. Given the steady increase in reported data losses, it may not be long before the ICO is given the opportunity to test these new powers.

The change was introduced by the Criminal Justice and Immigration Act 2008, which amends the Data Protection Act ("DPA"), and allows the ICO to issue a Monetary Penalty Notice ("MPN") (a) where the data controller seriously contravenes the data protection principles; (b) this is likely to cause substantial damage or distress; and (c) it was deliberate, or reckless, in circumstances where the data controller failed to take reasonable steps to prevent it.

The implementation of the new penalty was delayed pending ICO guidance on its use, which was approved by the Secretary of State on 12 January 2010. The guidance states that, in setting the level of the penalty, regard will be had to several factors including the financial resources of the data controller, the data controller's behaviour, and the overall circumstances of the infringement.

Historically, the ICO's approach has focused on securing the future compliance of data controllers that breach their obligations, rather than punishing the breach itself.

It has done this largely through the cultivation of bad publicity and the service of Enforcement Notices (requiring controllers to bring their processing activities in line with the law). Although a failure to comply with an Enforcement Notice is a criminal offence, this is obviously a secondary remedy only and the ICO has long campaigned for increased powers to enforce the DPA. Indeed, the Criminal Justice and Immigration Bill initially called for intentional or reckless disclosure of personal data to be criminalised and, although this was felt to be unworkable, MPNs may actually have more impact in practice. Not only do MPNs avoid the stigma of a criminal sanction (and the ICO may therefore use them more freely), the burden of proof will be far easier to satisfy.

The new powers should significantly modify the approach many data controllers take towards processing personal data. Not only will MPNs introduce very tangible consequences for serious breaches of the law, they will also improve the ICO's awareness of data losses that occur. This is because, in determining the level of penalty, the controller's reaction to the breach will be significant. Immediate notification to the ICO, accompanied by a response plan to ensure damage is minimised and not repeated, is likely to persuade the ICO to adopt a benevolent approach. In contrast, if the ICO learns of a serious breach through an alternative source, it may seek to make an example of the controller in question. It is very likely, therefore, that voluntary notification of breaches will increase.

The ICO has stated it will continue to rely primarily on the cooperation of data controllers but will not hesitate to use its new powers where necessary. While sums recovered under the new power will be paid into the Consolidated Fund and there is therefore no budgetary motivation to fine heavily, the number of high profile data losses in recent years and an increasingly protective attitude towards privacy means the ICO will be eager to flex its new muscles. Companies wishing to avoid the unenviable position of being the first to suffer a data loss after 6 April 2010 should therefore consider a careful review of their compliance position.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.