MoJ consults on £500k data breach fines

Companies that suffer serious data breaches could be fined up to £500,000 under government plans announced this week.

On Monday, the Ministry of Justice launched a consultation over levels of monetary penalties for breaches of the Data Protection Act. In a press statement, justice minister Michael Wills said the powers of the body that enforces the act, the Information Commissioner's Office, needed to be strengthened.

'The government is committed to ensuring that personal data is handled and processed responsibly and lawfully," said Wills. "We want to ensure that the Information Commissioner's Office has the powers it needs and is able to impose robust penalties on those who commit serious breaches of data protection principles."

The consultation asks just one question: "Do you consider that a penalty of up to £500,000 provides the ICO with a proportionate sanction for serious contraventions of the data protection principles?"

At present, the ICO has the power to fine organisations up to £5,000 for serious breaches of the Data Protection Act. A Ministry of Justice spokesperson told ZDNet UK on Thursday the £500,000 fine was meant as an effective deterrent.

"The reason we're proposing this new penalty is because it will provide the ICO with a tool to punish serious contraventions of the data protection principles, and serves as an effective deterrent against future contraventions," said the spokesperson. "Following discussions with the ICO, we consider this amount to be a reasonable maximum for all data controllers."

Assistant information commissioner David Smith told ZDNet UK on Thursday it wasn't just the level of the fine that was important, but that the process would be in public — as ensured by a clause recently added to the Data Protection Act.

"We very much welcome the power to impose monetary penalties, not just because of the level of the fine, but also because the process will operate in public," said Smith. "Impact on reputation is always a big lever for organisations."

Smith said the government had considered not imposing any limit on the fine, in line with penalties imposed by the Financial Services Authority, but had decided that £500,000 would be sufficient in light of further powers, which the ICO is in line to be granted.

"The Ministry of Justice is conducting a separate consultation, which is looking at custodial sentences for [malicious data breach] offences," said Smith. "Also, under the Coroner's and Justice Bill [which is going through Parliament], we will have the ability to conduct data protection inspections."

These inspections will not be spot-checks, but performed after notification, said Smith. Inspections will initially start with public sector bodies, but could be extended to the private sector, Smith added.

Data breach figures released by the ICO on Wednesday reveal that the single biggest cause of data loss over the past two years was burglary and theft. However, overall, more incidents were caused by human error in terms of lost hardware, data disclosed in error, or technical or procedural faults.

"By and large, these are all human error problems," said Smith. "But behind the errors are a lack of processes, disciplinary procedures or technical measures, such as encryption."

The public sector organisation with the most data breaches over the past two years was the NHS, according to the ICO figures. The ICO said last year that a spate of data breaches was not due to more incidents, but to more organisations admitting to them.

The Ministry of Justice monetary penalty consultation closes on 21 December.