The Information Commissioner’s Office has issued guidance on how it will use its new powers to impose penalties of up to £500,000 for breaches of the Data Protection Act.
The guidance says the ICO will only issue a monetary penalty notice if there has been a “serious” breach of the DPA, if the breach was likely to cause “substantial” damage or distress and if the breach was deliberate or the data controller failed to take "reasonable steps" to prevent it.
However, it gives a number of examples of how the ICO will decide whether these conditions have been met that suggest NHS data controllers could fall foul of the new penalties if NHS organisations continue to commit the kind of breaches that have been reported over the past two years.
For example, it says a “serious” contravention of the act might include “medical records containing sensitive personal data [being] lost following a security breach during an office move.”
And it says “substantial” distress might include “medical details [being] stolen and an individual suffering worry and anxiety that his sensitive data will be made public, even if his concerns do not materialise.”
The guidance says the ICO does not expect businesses, public bodies and other organisations covered by the new powers to treat data protection as an add-on to their normal activities, but as an “integral” part of them.
It therefore indicates that the ICO will regard risk assessments, policies to encrypt laptops and removable devices, and codes of conduct for employees as “reasonable steps” that it would expect to see in place.
The ICO has issued increasingly strong calls for businesses and public bodies to improve data security since HM Revenue and Customs lost the details of millions of child benefit claimants on two unencrypted CDs that were put in the post in November 2007.
It has expressed particular frustration with NHS bodies, which have been responsible for a disproportionate number of the breaches of the DPA that have been reported to it since the HMRC scandal.
The guidance says the aim of the new monetary penalties is to create an effective sanction for breaches of the act and to deter others from breaching it. However, it says that the sector, size and financial resources of an organisation will be taken into account when deciding the level of financial penalty to apply.
Information Commissioner, Christopher Graham, said: “These penalties are designed to act as a deterrent and to promote compliance with the Data Protection Act.
“I remain committed to working with voluntary, public and private bodies to help them stick to the rules and comply. But I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law.”
Any money raised by the new powers will be paid into the Consolidated Fund run by the Treasury. The new measures only apply to data controllers and not their employees or private individuals.