£500k fines for serious data security breachesPrivacy watchdog to get new data protection powers

13 January 2010

Lost property

Both the government and private companies have lost masses of personal data

Organisations that seriously breach the Data Protection Act could be fined up to £500,000 under new powers expected to be given soon to privacy watchdog, the Information Commissioner's Office (ICO).

Subject to approval by parliament, the new powers are expected to come into force on 6 April 2010. They will enable the ICO to impose large financial penalties if organisations lose personal data by not properly complying with the Data Protection Act.

Find out your rights with Which? guidance on the data protection act

How will ICO powers to penalise work in practice?

The ICO has produced statutory guidance about how it proposes to use this new power. When serving monetary penalties, the Information Commissioner will carefully consider the circumstances, including:

  • the seriousness of the data breach 
  • the likelihood of substantial damage and distress to individuals 
  • whether the breach was deliberate or negligent
  • what reasonable steps the organisation has taken to prevent breaches.

The size of the fine will also be influenced by the size and finances of the organisation at fault.

ICO: Data loss can cause 'real harm and distress to thousands'

In recent years there have been a number of high profile cases of organisations losing personal data, including the Driving Standards Agency and HM Revenue and Customs.

Information Commissioner Christopher Graham said: 'Getting data protection right has never been more important than it is today. As citizens, we are increasingly asked to complete transactions online, with the state, banks and other organisations using huge databases to store our personal details. 

'When things go wrong, a security breach can cause real harm and great distress to thousands of people. 

'These penalties are designed to act as a deterrent and to promote compliance with the Data Protection Act. I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law.'

The power to impose a monetary penalty notice is designed to deal with serious breaches of the Data Protection Act. It is part of the ICO’s overall regulatory toolkit which includes the power to serve an enforcement notice, and the power to prosecute those involved in the unlawful trade in confidential personal data.

Protect yourself online

There's a limit to what individuals can do to protect themselves against losses of data by large companies, but Which? has plenty of advice on what you can do to help keep your personal details private: 

Don't go online unless you're fully protected by Which? Best Buy security software, and for more privacy tips take a look at Which? guidance on:

Sign up to the weekly Which? tech email

Sign up to the Which? technology email

Keep your finger on the pulse of digital technology by signing up to the weekly email from the Which? Technology team. 

Every Tuesday we'll send you the latest news and reviews of MP3 players, mobile phones, cameras, high-definition TVs and other gadgets. 

Packed with the latest product launches, First Look reviews, expert advice and some incredible deals - can you afford not to be the first to find out?

You can also follow WhichTech on Twitter for all the latest technology updates.