Businesses that break the Data Protection Act will face penalties of up to half a million pounds, in a move that marks the first time that the Information Commissioner has been able to issue fines.
The introduction of heavy penalties would act as a deterrent, according to Information Commissioner Christopher Graham, who regulates and monitors the use of data.
But the proposals do not go as far as the ICO has said it wants. Last November, Graham argued in response to a government consultation that a penalty of two years’ jail time should be set as the maximum.
He said at the time: “In many cases a fine alone will be looked on by the offender as little more than a business expense or simply as a risk worth taking.”
Commenting on the announcement, Graham said he “will not hesitate” to use the new powers. The level of penalties would be set in each case according to culprits’ business turnover and the severity of the crime, as well as whether it was deliberate or negligent.
The proposals have been approved by justice secretary Jack Straw, and are laid before parliament today. They are expected to come into force on 6 April, the Information Commissioner’s Office said.
Until now, the ICO has only been able to serve enforcement notices, where businesses that break the DPA are obliged to commit to a set of rules, or take those individuals to court. It has not been able to issue fines.
Under the new proposals, fines will be issued if the ICO judges there has been a serious breach that was likely to cause damage or distress. Examples include when financial data is lost and an individual becomes the victim of identity fraud, or if data is stolen and an individual suffers worry and anxiety.
The worst cases, the ICO said, can include when marketing companies collect personal data stating it is for the purpose of a competition and then, without consent, knowingly and secretly disclose the data for commercial purposes.