Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Cybersecurity & Data Breaches, International/EU Privacy

UK Takes Step That Likely Will Result in Significantly Increased Penalties for Data Breaches

In a move that likely will result in a significant increase in civil penalties that can be assessed in the UK for data security breaches, this month the UK Ministry of Justice began consultation on the introduction of a maximum civil monetary penalty for serious breaches of the Data Protection Act 1998 (DPA), entitled ‘Civil Monetary Penalties: Setting the maximum penalty’.

The prospect of a maximum financial penalty was introduced into the DPA in 2008 by the Criminal Justice and Immigration Act 2008, but has yet to be implemented. After the consultation closes on 21 December 2009 it is likely to become law in April 2010.


The focus of the consultation is whether the current sanctions available to the ICO are sufficient. Last month we reported on the government’s consultation on possible prison sentences for serious breaches of the DPA and this latest consultation builds on the same theme. The current maximum financial penalty the ICO can impose against a data controller for data breaches is £5,000, which is fairly negligible and seriously undermines the ICO’s authority. Other regulators, such as the FSA have much greater powers and may impose severe penalties of up to 10% of an organisation’s turnover; the disparity in approach is obvious. The government’s aim therefore, is to increase the monetary penalties available to the ICO, to increase compliance with the DPA as well as increase public confidence in the system. It is noted that incidences of data loss and other serious breaches of the DPA are increasing, yet the ICO has limited powers to address the problems.

The question posed by the consultation is very simple: “Do you consider that a penalty of up to £500,000 provides the ICO with a proportionate sanction for serious contraventions of the data protection principles?” We might predict a resounding ‘yes’ to this, but must wait and see. We do know however, that, due to the likely administrative burden, the ICO have already rejected an assessment of penalties based on a data controller’s turnover, so a fixed maximum penalty of up to £500,000, (or possibly a different sum) will be adopted.

Further details of the consultation and the proposed introduction of the maximum civil monetary penalty for serious breaches of the DPA can be accessed through the Ministry of Justice website. The link also includes the ICO’s draft guidance on the criteria and circumstances it will consider when using civil monetary penalties. As a rough guide, the seriousness of the breach and whether it was deliberate or not, will be important factors, as is the prospect of substantial damage and distress caused, or likely to be caused.