New powers, designed to deter personal data security breaches, are expected to come into force on 6 April 2010. The Information Commissioner’s Office (ICO) will be able to order organisations to pay up to £500,000 as a penalty for serious breaches of the Data Protection Act.
For a data breach to attract a monetary penalty the Information Commissioner must be satisfied that there has been a serious breach that was likely to cause damage or distress and it was either deliberate or negligent and the organisation failed to take reasonable steps to prevent it.
Example – damage
Following a security breach by a data controller financial data is lost and an individual becomes the victim of identity fraud.
Example – distress
Following a security breach by a data controller medical details are stolen and an individual suffers worry and anxiety that his sensitive personal data will be made public even if his concerns do not materialise.
Example – deliberate
A marketing company collects personal data stating it is for the purpose of a competition and then, without consent, knowingly discloses the data to populate a tracing database for commercial purposes without informing the individuals concerned.