The UK’s data regulator will have new powers from April which will allow it to issue fines of up to £500,000 for serious breaches, as well as enabling it to conduct compulsory audits in central government departments where breaches may have occurred.
Previously, the Information Commissioner’s Office (ICO) was unable to fine an organisation for a data breach – it could only censure it for doing so. However, other regulators, such as the Financial Services Authority, have levied fines – for example, the £1.26m penalty against Norwich Union in 2007 – for failing to adequately protect customer data.
With these new powers of assessment the ICO will be better placed to provide assurances to individuals that those holding their personal information respect their privacy and do not abuse their trust. The new guidance will explain how the law applies and instruct companies to give people the right degree of choice and control over their personal information, for instance by giving them clear privacy choices or making it easier for people to erase their personal information at the end of a browsing session.
The ICO says the power to impose a financial penalty is designed to deal with the most serious personal data breaches and is part of its overall regulatory toolkit. This includes the power to serve an enforcement notice and the ability to prosecute those involved in the unlawful trade in confidential personal data.
Damage or distress
The Information Commissioner primarily intends to use its power to issue assessment notices where risks are identified and data controllers are unwilling to engage voluntarily. For a business to be eligible for such a fine, the ICO must be satisfied that there has been a serious breach that was likely to cause damage or distress, that it was either deliberate or negligent and that the organisation failed to take reasonable steps to prevent it. The ICO gives the following examples:
• Damage Following a security breach by a data controller, financial data is lost and an individual becomes the victim of identity fraud;
• Distress Following a security breach by a data controller, medical details are stolen and an individual suffers worry and anxiety that his sensitive personal data will be made public even if his concerns do not materialise;
• Deliberate A marketing company collects personal data stating it is for the purpose of a competition and then, without consent, knowingly discloses the data to populate a tracing database for commercial purposes without informing the individuals concerned.
Code of practice
To encourage organisations to co-operate with its enforcement measures, the ICO is offering to reduce any financial penalties levied by 20 percent if it receives full payment within 28 days of the notice
The ICO has also launched a consultation on a new draft code of practice which sets out the privacy watchdog’s proposed approach to using its new auditing powers. These allow the regulator to issue an assessment notice – a compulsory audit notice – if an organisation is responsible for a serious data breach.
Initially, the ICO will only be able to conduct these compulsory audits on central government departments, but it hopes to widen these powers in the future to include the private sector.
“Until now, the ICO has largely been a toothless regulator as it had no real punitive powers. That is beginning to change and organisations need to be aware of that,” says Ann Bevitt, partner and head of the EU privacy group at law firm Morrison & Foerster.