The Ministry of Justice has launched a consultation into whether the Information Commissioner’s Office should be able to penalise organisations that make serious data breaches with fines of up to £500,000.
The consultation ‘Civil monetary penalties: setting the maximum penalty’ asks: “do you consider that a penalty of up to £500,000 provides the ICO with a proportionate sanction for serious contraventions of the data protection principles?”
The aim of the penalty is to contribute to increased compliance with the Data Protection Act by acting as both a sanction and a deterrent. If passed, it will cover the UK including Northern Ireland.
However, the consultation also says: “any financial sanction that may be imposed by the ICO must be proportionate." It recommends that the maximum penalty "should not be any higher than the equivalent of 10% of the highest annual turn over of a small company.”
It also says: “The ICO will have regard to the financial hardship a penalty may inflict on a data controller guilty of a serious breach of the data protection principles.”
Draft guidance on the issue of monetary penalties on the ICO’s website says the monetary penalty will not be kept by the commissioner and that it must be paid into the Consolidated Fund owned by HM Treasury.
The consultation, which runs until 21 December, was launched as the ICO revealed that 434 organsations reported data security breaches over the past year. More than 200 were hospitals.
According to the ICO, NHS hospitals holding private medical records were among the worst offenders.
David Smith, deputy information commissioner, said: “Since November 2007 we have taken action against 54 organisations for the most reckless breaches in line with our commitment to proportionate regulation.
“Some of these breaches would trigger a significant fine for organisations were they to occur after the introduction of monetary penalties in 2010.”
An impact assessment of the maximum penalty by the Ministry of Justice states that three amounts were considered before the consultation of £50,000, £500,000 and £2.5m.
The assessment also adds that if the penalty is set at £500,000, it is estimated that the ICO will impose eight financial penalties per year of which two will be appealed in a first tier tribunal.
Last month, E-Health Insider reported that the Ministry of Justice had launched a consultation that could see individuals who “knowingly or recklessly” misuse personal data facing a jail term of up to two years. The consultation for the proposal will run until the end of January.