ICO gains new powers to fine organisations

The Information Commissioner has confirmed that from April he will have new powers to fine organisations up to £500,000 for wilful or reckless misuse of personal information. Actions likely to incur the full wrath of the ICO will include:

  • Where an individual becomes the victim of identity fraud following a security breach of financial data by a data controller
  • Where an individual suffers worry and anxiety that his sensitive personal data will be made public even if his concerns do not materialise following a security breach of his medical record by a data controller
  • Where a marketing company collects personal data one purpose and then, without the individual’s knowledge or consent, knowingly discloses the data to a third party for another purpose.

It’s good to see that the ICO finally has powers commensurate with the importance of the role. To date, the relatively small penalties available to the Information Commissioner have had little deterrent effect upon companies that are negligent or wilfully abuse personal information, and in the most serious cases it has fallen to other regulators such as the Financial Services Authority to enforce appropriate sanctions. Hopefully the new powers will engender a fresh respect for the Information commissioner and the importance of protecting personal information.

There is however one particular area in which these new powers might be inappropriate: there can be only limited value in fining organisations that are funded by the public purse, since this simply impacts the final service delivery from that organisation. Where incidents occur in public authorities, penalties should be focussed upon the responsible individuals rather than the organisation as a whole.