MoJ gives green light to £500k data-breach fines

NEWS

The Information Commissioner's Office has been given the power to issue large fines for data-protection offences from April.

Justice minister Michael Wills laid a statutory instrument before Parliament on Tuesday, setting the maximum fine at £500,000. The instrument will become law by default on 6 April, 2010, unless parliament objects.

"These penalties are designed to act as a deterrent and to promote compliance with the Data Protection Act," said information commissioner Christopher Graham. "I remain committed to working with voluntary, public and private bodies to help them stick to the rules and comply with the act.

"But I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law."

The ICO said it will take a "pragmatic and proportionate approach" to fines, taking into account the size and resources of the organisation, as well as the size and severity of a data breach. It will also reduce fines by 20 percent if an organisation pays in full within 28 days. Fines will go to the government's consolidated fund, rather than to the ICO.

In a ministerial statement, Wills told the House of Commons that a consultation on the size of fines had found that 27 of 52 responses had agreed with the £500,000 maximum, with nine arguing it should be lower and eight higher.

He added that he was also laying a second statutory instrument, which unlike the level of fine will be debated, with related matters including provision for cancellation and variation of notices, enforcements and appeals.

Talkback

I wonder how this will affect government departments when they loose laptops/disks/drives containing the private, unencrypted data of citizens, such as (to name but a few in the past):

25 million child-benefit claimants
600,000 prospective or actual recruits for the armed forces
21,000 patients from a Colchester NHS Trust
4,000 patients from Stockport Primary Care Trust
3 million learner drivers from UK Department of Transport
7,685 vehicle owners and their vehicles in Northern Ireland
45,000 benefit claimants in west Yorkshire

The details lost included names, addresses, passports, bank and mortgage accounts, credit cards, hospital records, dates of birth, national insurance numbers, driving licences and telephone numbers.

165829 13 January, 2010 15:16 Reply

Yup in place of where fines would not make a difference then prison sentence would suffice, as for the fine amount its not enough, it should be double that figure, and yes these should be applicable to government bodies also.

CA 13 January, 2010 21:45 Reply

Come back down to the hardware manufactures in the end cpu, ram, hdisk, & net comms equipment, where they will just have hardware enabled encryption by default.

But thats not really going to be enough, a best practice will also haft to be adopted.

CA 14 January, 2010 17:18 Reply

Post your comment

In order to post a comment you need to be registered and logged in

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Community FAQ

ZDNet UK Live