ICO could fine trusts up to £500k

  • 13 November 2009

The Ministry of Justice has launched a consultation into whether the Information Commissioner’s Office should be able to penalise organisations that make serious data breaches with fines of up to £500,000.

The consultation ‘Civil monetary penalties: setting the maximum penalty’ asks: “do you consider that a penalty of up to £500,000 provides the ICO with a proportionate sanction for serious contraventions of the data protection principles?”

The aim of the penalty is to contribute to increased compliance with the Data Protection Act by acting as both a sanction and a deterrent. If passed, it will cover the UK including Northern Ireland.

However, the consultation also says: “any financial sanction that may be imposed by the ICO must be proportionate." It recommends that the maximum penalty "should not be any higher than the equivalent of 10% of the highest annual turn over of a small company.”

It also says: “The ICO will have regard to the financial hardship a penalty may inflict on a data controller guilty of a serious breach of the data protection principles.”

Draft guidance on the issue of monetary penalties on the ICO’s website says the monetary penalty will not be kept by the commissioner and that it must be paid into the Consolidated Fund owned by HM Treasury.

The consultation, which runs until 21 December, was launched as the ICO revealed that 434 organsations reported data security breaches over the past year. More than 200 were hospitals.

According to the ICO, NHS hospitals holding private medical records were among the worst offenders.

David Smith, deputy information commissioner, said: “Since November 2007 we have taken action against 54 organisations for the most reckless breaches in line with our commitment to proportionate regulation.

“Some of these breaches would trigger a significant fine for organisations were they to occur after the introduction of monetary penalties in 2010.”

An impact assessment of the maximum penalty by the Ministry of Justice states that three amounts were considered before the consultation of £50,000, £500,000 and £2.5m.

The assessment also adds that if the penalty is set at £500,000, it is estimated that the ICO will impose eight financial penalties per year of which two will be appealed in a first tier tribunal.

Last month, E-Health Insider reported that the Ministry of Justice had launched a consultation that could see individuals who “knowingly or recklessly” misuse personal data facing a jail term of up to two years. The consultation for the proposal will run until the end of January.

Links: Ministry of Justice consultation document

Information Commissioner’s Office

Subscribe to our newsletter

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Sign up

Related News

WHO launches collaborative network for data and digital health

WHO launches collaborative network for data and digital health

WHO is bringing together its European region member states with partners for a network focused on advancing data and digital solutions in health.
Calderdale and Huddersfield awarded HIMSS stage 6 for analytics capabilities

Calderdale and Huddersfield awarded HIMSS stage 6 for analytics capabilities

Calderdale and Huddersfield NHS Foundation Trust has achieved a stage 6 validation from HIMSS for its use of data and approach to data science.
ICO guidance on transparency published for health and care sector

ICO guidance on transparency published for health and care sector

New guidance has been issued by ICO over how health and care organisations should be transparent over the use of personal information.