ICO gets power to fine £500,000

Wednesday, January 13, 2010

The Information Commissioner's Office (ICO) has confirmed it will get new powers to fine up to £500,000 for serious breaches of the Data Protection Act.

Statutory guidance about how the ICO will use the new power has already been approved by Justice Secretary Jack Straw and was approved by parliament on 12 January. The new power will now come into force from 6 April.

Information Commissioner, Christopher Graham, said: "Getting data protection right has never been more important than it is today. As citizens, we are increasingly asked to complete transactions online, with the state, banks and other organisations using huge databases to store our personal details. When things go wrong, a security breach can cause real harm and great distress to thousands of people. These penalties are designed to act as a deterrent and to promote compliance with the Data Protection Act. I remain committed to working with voluntary, public and private bodies to help them stick to the rules and comply with the act. But I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law."

The ICO said the Information Commissioner will take a considered approach when issuing fines, with the £500,000 penalty being used in only the most serious circumstances. It added that factors like an organisation's financial resources, sector, size and the severity of the breach will be taken into account.

Monies received will be paid to the Consolidated Fund, held by the HM Treasury, and will not be kept by the ICO. A discount has also been agreed whereby the fine is reduced by 20 per cent if it is paid within 28 days of the fine being issued.

Graham already has the power to serve an enforcement notice, committing an organisation to better data protection, and the power to prosecute those involved in the unlawful trade in confidential personal data.