The Information Commissioner's Office has been given the power to issue large fines for data-protection offences from April.
Justice minister Michael Wills laid a statutory instrument before Parliament on Tuesday, setting the maximum fine at £500,000. The instrument will become law by default on 6 April, 2010, unless parliament objects.
"These penalties are designed to act as a deterrent and to promote compliance with the Data Protection Act," said information commissioner Christopher Graham. "I remain committed to working with voluntary, public and private bodies to help them stick to the rules and comply with the act.
"But I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law."
The ICO said it will take a "pragmatic and proportionate approach" to fines, taking into account the size and resources of the organisation, as well as the size and severity of a data breach. It will also reduce fines by 20 percent if an organisation pays in full within 28 days. Fines will go to the government's consolidated fund, rather than to the ICO.
In a ministerial statement, Wills told the House of Commons that a consultation on the size of fines had found that 27 of 52 responses had agreed with the £500,000 maximum, with nine arguing it should be lower and eight higher.
He added that he was also laying a second statutory instrument, which unlike the level of fine will be debated, with related matters including provision for cancellation and variation of notices, enforcements and appeals.
Talkback
I wonder how this will affect government departments when they loose laptops/disks/drives containing the private, unencrypted data of citizens, such as (to name but a few in the past):
25 million child-benefit claimants
600,000 prospective or actual recruits for the armed forces
21,000 patients from a Colchester NHS Trust
4,000 patients from Stockport Primary Care Trust
3 million learner drivers from UK Department of Transport
7,685 vehicle owners and their vehicles in Northern Ireland
45,000 benefit claimants in west Yorkshire
The details lost included names, addresses, passports, bank and mortgage accounts, credit cards, hospital records, dates of birth, national insurance numbers, driving licences and telephone numbers.
Yup in place of where fines would not make a difference then prison sentence would suffice, as for the fine amount its not enough, it should be double that figure, and yes these should be applicable to government bodies also.
Come back down to the hardware manufactures in the end cpu, ram, hdisk, & net comms equipment, where they will just have hardware enabled encryption by default.
But thats not really going to be enough, a best practice will also haft to be adopted.