Last week saw some important changes in the powers of the Information Commissioner to enforce data protection legislation.
We have just issued an update explaining those changes. It’s worthwhile reading for all organisations which handle personal data – information about identifiable, living individuals, whether staff, clients/service users, contacts or otherwise.
The main point to note is that, for the first time, a deliberate or reckless, serious failure to comply with any of the eight data protection principles in the Data Protection Act 1998 (the “DPA”) could result in a fine of up to £500,000. So, for example, a failure to put in place adequate systems to protect against the theft or loss of personal data, or to ensure that personal data is only shared with other organisations to the extent permitted by the DPA, could now result in a very substantial fine.
The amounts involved look set to persuade even the most reluctant of organisations to pay more attention to data protection compliance. If the threat of regulatory sanction still doesn’t seem real at this early stage in the new regime, it no doubt will when the first fines have been handed out. Those on the receiving end will be faced not only with paying them, but also with the negative publicity and related legal and commercial problems which a penalty of this nature could bring.
No time like the present then to have a look at your policies, procedures and practices relevant to the handling of personal data and identify (and prioritise) any issues which require to be addressed.
On April 14, 2010