Public sector, voluntary and private organisations are being warned they could face penalties of up to half a million pounds for failing to protect personal data which they hold. The Office of the Information Commissioner has produced new statutory guidance on how it plans to use new powers to punish serious breaches which are expected to come into effect in April.
The guidance has been approved by Justice Secretary Jack Straw and has been laid before Parliament. It makes it clear that when serving monetary penalties the Information Commissioner will look carefully at the circumstances of the breach, including the seriousness, the likelihood of substantial damage and distress to individuals, whether the breach was deliberate or negligent and what reasonable steps the organisation has taken to prevent breaches.
Information Commissioner, Christopher Graham, said getting data protection right had never been more important as citizens were increasingly asked to complete transactions online. He said security breaches could cause real harm and distress to thousands of people and added: “These penalties are designed to act as a deterrent and to promote compliance with the Data Protection Act. I remain committed to working with voluntary, public and private bodies to help them stick to the rules and comply with the Act. But I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law.”
Mr. Graham said he would take a pragmatic and proportionate approach to issuing a monetary penalty. Factors taken into account would include the organisation’s financial resources, the sector it was in, its size and the severity of the data breach, to ensure no undue financial hardship was imposed on an organisation.