New Powers for ICO for Data Breaches
The Information Commissioner's Office (ICO) has been given the power to impose substantial fines on organisations that deliberately or recklessly commit serious breaches of the Data Protection Act (DPA). The new power is granted under the Criminal Justice and Immigration Act, which recently received Royal Assent. Hitherto, the ICO could only issue an enforcement notice against an organisation that was in breach of the DPA.
David Smith, the Deputy Information Commissioner said, "This change in the law sends a very clear signal that data protection must be a priority and that it is completely unacceptable to be cavalier with people's personal information. The prospect of substantial fines for deliberate or reckless breaches of the Data Protection Principles will act as a strong deterrent and help ensure that organisations take their data protection obligations more seriously."
There are eight Data Protection Principles with which anyone who processes personal information must comply. The data must be:
1. Processed fairly and lawfully;
2. Processed for limited purposes;
3. Adequate, relevant and not excessive;
4. Accurate and up to date;
5. Not kept for longer than is necessary;
6. Processed in line with the individual's rights;
7. Secure; and
8. Not transferred to other countries without adequate protection.
The power will not apply retrospectively.
|