Privacy & Information Security Law Blog

On January 12, 2010, the UK government laid regulations before Parliament to bring into force civil monetary penalties of up to £500,000 ($800,000) for serious data breaches.  These penalties are likely to take effect starting April 6, 2010.  Significantly, the penalties will apply not only to data security breaches, but also to all serious breaches of the UK Data Protection Act 1998.  Accordingly, collecting personal data for a sweepstakes contest then deliberately, and without consent, disclosing the data to a third party to populate a tracing database for commercial purposes might well be subject to a penalty.

In publishing his department’s response to the public consultation, “Civil Monetary Penalties - Setting the maximum penalty,” the Justice Minister, Michael Wills, noted that the misuse of even small amounts of personal data can have serious consequences and that penalties of up to £500,000 “will ensure the Information Commissioner is able to impose robust sanctions on those who commit serious contraventions of the data protection principles.”

Christopher Graham, the UK’s Information Commissioner, has emphasized that he will adopt a pragmatic and proportionate approach to issuing monetary penalties, taking into account the organization’s size, financial resources and industry sector, as well as the severity of the breach.  However, he has stated unequivocally, “I will not hesitate to use these tough new sanctions for the most serious cases where organizations disregard the law.”

Over 700 data breaches have been reported in the UK in the last two years.  It seems likely that the first monetary penalties will not be long in coming.