• Send us a message

    Fill in our form and we'll get back to you as soon as possible

    Please enter name
    Please enter your telephone number
    Please enter your email address
    Please let us know which of offices would most convenient for you?
    Please enter the details of your enquiry
    Please enter the verification code
    Send us a message
  • Services for you
  • Services for business

Fines for data protection breaches on the rise

Since the power of the Information Commissioner’s Office (ICO) to impose fines for breaches of the Data Protection Act was increased in April 2010 to a maximum fine of £500,000 the ICO has imposed a number of substantial fines.

The ICO has fined organisations in the public sector (local authorities and a police force), the private sector (an employment service company) and most recently a charity. It was reported recently that in a 12 month period the ICO had issued 15 fines making up some £1.8 million in total.

While it is the ICO’s practice to guide and assist organisations with data protection compliance and to act in a proportionate manner in exercising its powers, the ICO has demonstrated that in appropriate circumstances it will impose a substantial fine for a breach of data protection law. When considering a financial penalty the factors the ICO will take into account include the seriousness of the breach, the likelihood of substantial distress or damage to the individuals whose personal data is in issue, whether the breach was deliberate or was something that the organisation knew or ought to have known about and, finally, what steps the organisation took to prevent the breach.

A common feature of several of the cases where the ICO has imposed a substantial fine is that the personal data had been removed from the premises of the organisation by an employee and thereafter the data had been lost or stolen.

It is very clear that where there is personal data on a laptop, memory stick or other portable device which leaves the premises of the organisation, simple password protection is not enough. The data must be encrypted.

Organisations should ensure that staff are adequately trained as to compliance with the Data Protection Act, put in place clear policies and procedures for processing personal data (and ensure that these are being adhered to in practice), consider the risks in dealing with personal data (and take steps to guard against those risks) and be able to respond swiftly in the event of a breach so as to mitigate the effects thereof.

These measures are necessary for an organisation to demonstrate that it has complied with the data protection principles, including the seventh principle which requires that it take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against its accidental loss or destruction.

This article was written by Lance Terry, Partner within Commercial Business team. You can contact Lance on 01329 282841 or via email to l.terry@glanvilles.co.uk