Government proposes fines of up to £500,000 for serious DP breaches

Claire Walker

The Government has published its long awaited proposals on fines for serious breaches of the Data Protection Act 1998. The proposal is for a maximum fine of £500,000, with a discretion for the information Commissioner’s Office to assess the actual level of fines imposed on a case by case basis. The consultation period ends on 21 December, and the new fines could come into force as soon as April 2010.

The proposals are set out in consultation paper published on 9 November entitled “Civil monetary penalties: setting the maximum penalty”.
The penalties will significantly boost the Information Commissioner’s (currently very limited) enforcement powers. They are being introduced response to the seemingly endless tide of serious security breaches, which began to come to light almost two years ago with the HMRC debacle.

The new powers are to be found in the recently added section 55A of the DPA (introduced by section 144 of the CJIA 2008) and will apply to serious breaches of the Act which are likely to cause substantial damage or distress, and which are committed deliberately or recklessly.

The new provisions received Royal Assent in May 2008. However, the sanction is still not “live”, as the amount of the penalties will need to be set by statutory instrument.

The MoJ has dropped the idea of fines based on a percentage of turnover model, similar to that used by other regulators, in favour of a fixed maximum fine which the ICO can then assess according to the seriousness of the breach and the resources of the data controller in question.

The consultation document poses a single question, namely whether the fine of up to £500,000 provides the ICO with a “proportionate sanction” for serious DPA contraventions. The cap seems modest when compared with fines imposed by the FSA for data breaches in the financial services sector.

The MoJ and the ICO have both indicated that the plan is for the new fines to go live in April next year.

Leave a Reply

Your email address will not be published. Required fields are marked *