MPs have passed legislation giving the Information Commissioner the power to impose substantial fines on organisations that deliberately or recklessly commit serious breaches of the Data Protection Act.

The Criminal Justice and Immigration Act received Royal Assent on Monday creating tough new sanctions for the privacy watchdog, the Information Commissioner’s Office (ICO).

Under the legislation, anyone who processes personal information must comply with eight principles which all data processors must be aware of.

The eight principals, which all data processors must be aware of state personal information must be fairly and lawfully processed; be only used for limited purposes; be adequate, relevant and not excessive; and be accurate and up to date.

Data should not be kept for longer than necessary, and must be held securely. Anyone giving their information to be processed must be aware of their rights, and the data should be processed in line with these rights. It should also not be transferred to other countries without adequate protection.

David Smith, deputy Information Commissioner, said: “This change in the law sends a very clear signal that data protection must be a priority and that it is completely unacceptable to be cavalier with people’s personal information.

“The prospect of substantial fines for deliberate or reckless breaches of the Data Protection principles will act as a strong deterrent and help ensure that organisations take their data protection obligations more seriously.”

The change in law follows a long campaign by the ICO for more effective sanctions against organisations that fail to live up to their responsibilities under the Data Protection Act.

Under previous legislation the ICO only had powers to issue an enforcement notice against organisations in breach of the Act.

Two weeks ago, the Information Commissioner, Richard Thomas, said NHS chief executives should be personally responsible if their department or trust loses or mishandles personal information.

Smith added: “This new power will enable some of the worst breaches of the Data Protection Act to be punished. By demonstrating that the law is being taken seriously tougher sanctions will help to reassure individuals that data protection matters and give them confidence that organisations have no choice but to handle personal information properly.

“The fact that strengthening the Data Protection Act has cross party support demonstrates the growing consensus on importance of effective data protection.”


NHS chief execs may be accountable for data loss

The Criminal Justice and Immigration Act