The Information Commissioner will be able to issue fines of up to half a million pounds to businesses that break the Data Protection Act, from today (April 6).
The Information Commissioner’s Office (ICO) was first granted the power to issue the large penalty in January. The announcement also marks the first time the ICO has been able to issue fines.
Christopher Graham, the Information Commissioner, said: “These penalties are designed to act as a deterrent and to promote compliance with the Data Protection Act.”
However, the heavy penalty is less than what the ICO originally called for. Last November, Graham argued in response to a government consultation that a penalty of two years’ jail time should be set as the maximum. He said at the time: "In many cases a fine alone will be looked on by the offender as little more than a business expense or simply as a risk worth taking."
The level of penalties will be set in each case according to businesses’ turnover and the severity of the crime, as well as whether it was deliberate or negligent.
Until now, the ICO has only been able to serve enforcement notices. This is where businesses that break the DPA are obliged to commit to a set of rules, or take those individuals to court. Under the new proposals, fines will be issued if the ICO judges a serious breach that was likely to cause damage or distress. For example, this may include the loss of financial data resulting in identity fraud victims.
Data security experts have given a mixed reaction to the news. Industry Jamie Cowper, European marketing director at data encryption firm PGP Corporation, said: "The addition of a £500,000 fine, on top of the overall cost of a data breach, should in theory provide enough of a financial deterrent for organisations reluctant to invest in their security strategies.
"However, as 70 percent of UK organisations suffered a data breach just last year (Ponemon Institute, July 2009), it is clear that the ICO is going to have to couple this new policy with a fresh awareness campaign if organisations are to truly recognise the financial sense of investing in proving technologies, such as encryption."
Meanwhile, Sean Glynn, product manager at data security specialist Credant Technologies, said: "As last week’s data breach, involving the loss of data on 9,000 teenagers from Barnet Council being stolen from the home of an employee, shows, having a good set of security policies in place does not help if you do not use technology to firmly enforce those policies."