‘Get tough’ approach over data disasters | 09 February 10

COMPANIES and organisations which don’t keep a close eye on sensitive data face being hit with fines of up to £500,000, a leading law firm has warned.

In the wake of high-profile incidents, starting with the loss of data on 25 million families from Her Majesty’s Revenue and Customs office in Washington, new powers have been brought in to get tough on data protection breaches.

The Information Commissioner’s power to issue fines of up to £500,000 for serious breaches of data protection laws is due to come into force on April 6, subject to Parliamentary control.

Experts at North law firm Ward Hadaway say this means businesses and organisations will need to be much more stringent when it comes to protecting any sensitive data they may hold on individuals such as employees, customers or contacts.

Judy Baker, partner and head of data protection at the firm, said: “Up until now, the Information Commissioner’s powers as the UK data protection regulator were limited.

“The new powers will enable him to treat data protection breaches more seriously, and have potential to impact all organisations that collect and process personal information.

“From the size of the maximum fine which can be imposed, it is clear that the Government is taking the issue much more seriously than before and organisations would do well to take heed. The powers will only apply to breaches after 6 April, so organisations would be wise to get their houses in order before that.”

In general terms, the new legislation will allow the Information Commissioner to issue a financial penalty to an organisation, if he is satisfied that:

  • there has been a serious breach of the data protection principles; and
  • that breach was of a kind likely to cause substantial damage or distress; and
  • either it was committed deliberately, or the organisation should have known that there was a risk, but still failed to take reasonable steps to prevent it.

Justice Minister Michael Wills has said: “Most data controllers do comply with the principles but since misuse of even small amounts of personal data can have very serious consequences, it is vital that we do all that we can to prevent non-compliance.

“Penalties of up to £500,000 will act as a strong deterrent."

To strengthen the Information Commissioner’s armoury further, the Home Secretary has been given powers to introduce jail sentences for the unlawful obtaining or disclosing of personal information, although these powers require secondary legislation before they are implemented and the consultation process has not yet finished.

Judy Baker from Ward Hadaway said: “In light of these changes, organisations would do well to implement a review of their data protection safeguards to ensure they are as secure as possible.

“Ward Hadaway advises a range of bodies on data protection issues and on ways they can minimise the danger of breaches, which now have the power to cause financial harm, not just embarrassment and reputational damage.”

* Find out more about how we can help with Data Protection issues.