£500,000 fine coming for businesses that lose data?

Organisations that lose individuals' data could face a fine of up to £500,000 under proposals being considered by the government.

From next year, the privacy watchdog the Information Commissioner's Office (ICO) will be able to fine companies that recklessly or maliciously breach the Data Protection Act (DPA). The Ministry of Justice yesterday launched a public consultation on the maximum amount such fines can run to - a figure it proposes should be set at £500,000.

In its consultation document the MoJ said it chose £500,000 because it did not want the penalty to be more than "10 per cent of the highest annual turnover of a small company".

As well as being imposed for malicious or reckless breaches of the DPA, the fine could also be used by the ICO against companies who have:

• Stored or processed personal data in a country outside of Europe that does not have adequate data protection legislation
• Kept data for longer than is necessary for the organisation
• Obtained personal data unlawfully
• Accidentally deleted that data

Under the ICO's current powers, the strongest sanction the watchdog has against organisations that lose data is to serve it with an enforcement notice requiring it to improve data security or face legal action.

Deputy information commissioner, David Smith, welcomed the ICO's new powers and said they would help stop more breaches from occurring.

"We are keen to encourage organisations to achieve better data protection compliance and we expect that the prospect of a significant fine for reckless or deliberate data breaches will focus minds at board level," he said in a statement.

The announcement coincides with the latest ICO figures showing that 711 businesses, government bodies and charities have suffered data security breaches over the past two years.

Companies that are reckless with personal data could face a £500,000 fine from the Information Commissioner's Office
(Photo credit: swanksalot via Flickr under the following Creative Commons Licence)

Of these organisations more than 200 were private companies and 209 were NHS health trusts and bodies.

Earlier this year the high level of losses among NHS trusts prompted the ICO to write to the Department of Health warning it needed to improve data security at health trusts.