Data Protection Act breach could cost companies 500,000 pounds

The Information Commission's Office recently announced new penalties for Data Protection Act breaches. Find out when the new penalties will come into play and what the penalties will now entail.

The government recently confirmed that serious Data Protection Act breaches will be subject to fines of up to 500,000 pounds. This policy will take effect April 6, 2010.

Currently, the Information Commission's Office (ICO), the organization that enforces the act, only has the power to issue an enforcement notice to offending organisations.

The introduction of monetary penalties has long been expected after the provision for fines was included in the Criminal Justice and Immigration Bill of 2008.

As a result of that bill, increased fines had been expected by early 2009, with some experts arguing that the maximum fine for a serious breach could be 10% of annual turnover of an offending organisation. That did not wind up being the case, and according to some sources, behind-the-scenes government wrangling delayed the process.

A spokesperson for the ICO said the £500,000 maximum fine would act as a "very real deterrent," but declined to comment on whether the ICO considered the possibility of higher penalties.

In a statement, Information Commissioner Christopher Graham said, "Getting data protection right has never been more important than it is today. As citizens, we are increasingly asked to complete transactions online, with the state, banks and other organisations using huge databases to store our personal details.

"When things go wrong, a security breach can cause real harm and great distress to thousands of people. These penalties are designed to act as a deterrent and to promote compliance with the Data Protection Act."

He promised to take "a pragmatic and proportionate approach" when determining the level of any fines, and said the amount would depend on the seriousness of the offence, the level of damage caused, whether the breach was deliberate or the result of negligence, and on whether the organisation had taken appropriate measures to protect information.

Rosemary Jay, a data privacy specialist at London-based law firm Pinsent Masons, said the new penalty marked a big change in legislation and signaled that data protection should now be taken more seriously. But she added that the top fines are still "very small compared with the powers of the Financial Services Authority," which has issued much larger fines for data breaches against financial-services companies. For instance, the Nationwide Building Society was fined £980,000 and Norwich Union £1.26 million.

"The ICO will have to go through quite a convoluted process before they can impose a fine," Jay said. "They must first serve a preliminary notice saying why they are doing so, what evidence they have and then consider the organisation's response. This will take quite a lot of resources, so the proof of the pudding will be if they ever actually do it, and how long it takes them."

In her opinion, the ICO will avoid handing out fines except in the most serious or reckless of cases, but she still expects the new regime to have an effect on data protection practices.

"We'll have to see how it works in action," she added. "It does raise the risk profile within businesses, it will have an impact on compliance, and businesses will take it more seriously. I think there will be a cultural change in attitudes."

Alan Calder, managing director of IT Governance Ltd., a consultancy based in Ely Cambs, said the penalties would persuade companies to take data protection more seriously, but said the ICO must demonstrate a willingness to impose fines.

"The first couple of serious fines will make a number of chief executives -- who like to think that everything's okay -- take a second look at their security. That is when they'll discover that things are not as okay as they like to believe."

Penalties still need to be confirmed for breaches of Section 55 of the Data Protection Act, which makes knowingly, or recklessly obtaining or disclosing personal data or information without the consent of the data controller a criminal offence.

The ICO had been seeking the power to impose jail sentences for DPA breaches, but it met with a lot of resistance from the media industry, which argued that such stiff penalties could stifle journalistic investigations and go against the public interest. In a consultation paper issued last November, the Information Commissioner proposed an amended version that would make exemptions for some journalistic or artistic activity. That consultation has just closed and will now be considered by the Ministry of Justice.

Read more on Data breach incident management and recovery