Introduction of monetary penalties for data protection breaches

From 6 April 2010, the Information Commissioner may impose a civil monetary penalty of up to £500,000 for serious contraventions of the data protection principles. All data controllers throughout the UK including businesses that process personal information should be aware that in order for the penalty to apply, the contravention must have been likely to have caused substantial damage or substantial distress. In addition, the data controller concerned must either:

• Have deliberately carried out the contravention.
• Have known – or ought to have known – that there was a risk of the contravention occurring. In these circumstances, they must also have known – or ought to have known – that the contravention was likely to cause substantial damage or distress, but they had failed to take reasonable steps to prevent it.

Statutory guidance produced by the Information Commissioner provides further details on how he proposes to exercise his functions in relation to imposing a civil monetary penalty and data controllers’ procedural rights – see the appropriate link below. You are reminded that, when you and/or your employees process personal information, you have a duty to comply with the data protection principles. These are to ensure that the personal data you hold is:

• kept secure 
• processed fairly and lawfully
• adequate, relevant and not excessive
• processed in line with the rights of individuals
• accurate and, where necessary, kept up to date
• processed for one or more specified and lawful purposes
• kept for no longer than is necessary for the purpose for which it is being used
• not transferred outside the European Economic Area unless adequately protected