£500k data loss fine could hit from April

Privacy watchdog gets more teeth

Companies that lose individuals' sensitive personal data will face a fine of up to £500,000 under powers expected to come into force from April.

The powers will allow the UK's privacy watchdog, the Information Commissioner's Office, to fine private and public sector organisations that commit a serious breach of the Data Protection Act.

Justice minister Michael Wills laid a statutory instrument before Parliament on Tuesday, setting the maximum fine at £500,000. The instrument will become law by default on 6 April this year, unless Parliament objects.

Organisations will be fined if the information commissioner feels the data breach resulted from a deliberate act or negligence and is likely to cause damage or distress to an individual.

Examples of scenarios that could incur a fine include an individual becoming a victim of identity fraud after their financial data is lost by a company, or if a person suffers anxiety about sensitive personal information leaking out after their medical data is stolen.

Information commissioner Christopher Graham said in a statement: "As citizens, we are increasingly asked to complete transactions online, with the state, banks and other organisations using huge databases to store our personal details.

"When things go wrong, a security breach can cause real harm and great distress to thousands of people."

Under the ICO's current powers, the strongest sanction the watchdog has against organisations that lose data is to serve them with an enforcement notice requiring them to improve data security or face legal action.

The latest ICO figures show that 711 businesses, government bodies and charities have suffered data security breaches between 2007 and 2009.

Of these organisations more than 200 were private companies and 209 were NHS health trusts and bodies.