What the new powers of the Information Commissioner mean to you

Big fines will put teeth into the law by the end of the year.

The recent passage of the Criminal Justice and Immigration Act through Parliament has two aspects which directly affect people and companies holding personal data.

It increases the penalty for data theft and trading in stolen information, from a fine to a prison sentence. And for the first time, it gives the Information Commissioner's Office (ICO) the power to impose fines on any organisation that "recklessly or deliberately" misuses information and breaches the principles of the Data Protection Act. Up to now, the ICO has only had the power to impose an enforcement order to get companies to mend their ways.

The sanctions could have been even more severe. The Conservatives and Liberal Democrats tried to introduce an amendment to the Act that would have made mishandling of data a criminal offence (and therefore subject to a custodial sentence) but that was averted by the government.

The eight guiding principles of the Data Protection Act:
Personal information is...

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection
  • However, although the Act was passed on May 9, nothing is likely to change before the end of the year, and so any company in doubt about its current practices has a small period of grace before the serious penalties kick in.

    Furthermore, although the provision for data theft to be punished by imprisonment is now on the Statute Book, it is still not active in law, and may not come into force.

    Stewart Room, a solicitor with Field Fisher Waterhouse who specialises in technology, explains: "Parliament has introduced a custodial penalty on the statute book, but it will not be brought into effect without a Ministerial order and resolutions from both house of Parliament. So it's in, but not quite in. It is on the statute book, but not actually in force."

    For that to happen, the ICO will have to prove, as it has alleged, that there is a widespread and pervasive trade in stolen information, which it has so far failed to do, says Room. He said this part of the Act had been seen as a potential attack on press freedom, and had been the subject of vigorous press and media lobbying to stop it actually becoming law.

    In his view, that part of the Act is now unlikely to come into force. "The political landscape has changed, and two years away from a General Election, does the Government want to antagonise the press?" Room says.

    The introduction of fines for breaching data protection principles is a far more important move, he says. "In the clearest parallel regime, the FSA fined the Nationwide £980,000 in February 2007, and the Norwich Union £1.26m in December 2007 for serious breaches of security," he says. "So a serious data breach is going to attract a handsome fine. It has to be handsome to be a deterrent. If it's only £5000, then it just becomes a cost of business."

    The level of fines must now be decided by the Ministry of Justice, which could take a few months, and according to Room, we will probably have to wait until the end of the year before the first fines are imposed. The law is not retro-active, and so the sanctions will only apply to any offences committed after the new ICO's powers come into force.

    In a written statement, the deputy Information Commissioner David Smith said: "This change in the law sends a very clear signal that data protection must be a priority and that it is completely unacceptable to be cavalier with people's personal information. The prospect of substantial fines for deliberate or reckless breaches of the Data Protection Principles will act as a strong deterrent and help ensure that organisations take their data protection obligations more seriously."

    In April, the ICO also issued new guidelines on notification of data breaches. Although the ICO has no powers to force notification, it has made clear that any breach that is not voluntarily disclosed and then discovered will attract more severe action.

    But notification is still limited to informing the ICO; there are still no plans to force disclosure to the individuals affected, as is the case in many states of the U.S.

    Read more on Regulatory compliance and standard requirements