Data Protection breaches to result in up to £500,000.00 fine

April 6, 2010

On 6 April 2010 new powers designed to deter personal data security breaches will come into force. Following a series of high profile losses of personal data the government decided to considerably increase the Information Commissioner’s powers. From April the Information Commissioner’s Office (ICO) will be able to order organisations to pay up to £500,000.00 as a penalty for a serious breach of the Data Protection Act.

The ICO will consider carefully the circumstances of the breach, including the seriousness of the data breach; likelihood of substantial damage and distress to individuals; whether the breach was deliberate or negligent and what reasonable steps the organisation took to prevent breaches.

In light of these new strict penalties, it has never been more important for organisations to ensure that they comply with the provisions of the Data Protection Act.

Anyone who processes personal information must comply with 8 principles, which make sure the personal information is:-

• Fairly and lawfully processed;

• Processed for limited purposes;

• Adequate, relevant and not excessive;

• Accurate and up to date;

• Not to be kept for longer than is necessary;

• Processed in line with the individual’s rights;

• Secure; and

• Not transferred to other countries without adequate protection.

Almost every business, voluntary organisation and public sector body processes personal data. It is therefore imperative that they review their policies, procedures and practices to ensure that they do not fall foul of the Data Protection Act. As organisations are liable for the acts of third parties processing data on their behalf, they should also ensure, by way of contracts, that any bodies engaged to process or store personal data on their behalf have in place similar obligations.

Organisations should take the following minimum steps to avoid a breach of the Data Protection Act:

• Carry out risk assessments to understand the likely risks in processing personal data and take steps to address these risks;

• Have in place audit arrangements to establish lines of responsibility to prevent serious contraventions;

• Have in place appropriate policies, procedures and practices being operated to ensure personal data is adequately protected; and

• Comply with codes of practice and guidance issued by the Information Commissioner

CFR have extensive experience in carrying out Data Protection Audits, drafting Data Protection policies and data processing contracts. For further information please contact Karen Blair.

Please note: The content of this article is for information purposes only and further advice should be sought from a professional advisor before any action is taken.
Cleaver Fulton Rankin, 50 Bedford Street, Belfast, BT2 7FW
T: 028 9024 3141, Fax: 028 9024 9096,
A legal alliance Matheson Ormsby Prentice, Dublin & Cleaver Fulton Rankin, Belfast