Friday, April 09, 2010

UK Commissioner May Order Fines for Serious Breaches of Data Protection Act

This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.

New enforcement powers aimed at helping the United Kingdom’s Information Commissioner’s Office (ICO) deter data security breaches came into effect under UK law on April 6, 2010.

The ICO is now authorized to order organizations to pay up to £500,000 as a penalty for serious violations of the Data Protection Act (CCH Privacy Law in Marketing ¶49,100).

The ICO may impose a monetary penalty notice if a data controller has seriously contravened the Act’s data protection principles and if the contravention was likely to cause substantial damage or substantial distress.

In addition, the contravention must either have been deliberate or the data controller must have known or ought to have known that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it.

According to the ICO, the power to impose a monetary penalty is part of the ICO’s overall regulatory tool kit, which includes the power to serve an enforcement notice and the power to prosecute those involved in the unlawful trade in confidential personal data.

Further information regarding the new enforcement powers appears here on the ICO website.

No comments: