The Government has published its long awaited proposals on fines for serious breaches of the Data Protection Act 1998. The proposal is for a maximum fine of £500,000, with a discretion for the information Commissioner’s Office to assess the actual level of fines imposed on a case by case basis. The consultation period ends on 21 December, and the new fines could come into force as soon as April 2010.
The new powers are to be found in the recently added section 55A of the DPA (introduced by section 144 of the CJIA 2008) and will apply to serious breaches of the Act which are likely to cause substantial damage or distress, and which are committed deliberately or recklessly.
The new provisions received Royal Assent in May 2008. However, the sanction is still not “live”, as the amount of the penalties will need to be set by statutory instrument.
The MoJ has dropped the idea of fines based on a percentage of turnover model, similar to that used by other regulators, in favour of a fixed maximum fine which the ICO can then assess according to the seriousness of the breach and the resources of the data controller in question.
The consultation document poses a single question, namely whether the fine of up to £500,000 provides the ICO with a “proportionate sanction” for serious DPA contraventions. The cap seems modest when compared with fines imposed by the FSA for data breaches in the financial services sector.