Data breach penalties to get higher, warns ICO

27 Jan 2010

Whitehall departments and NHS organisations will face tougher punishments if they do not report data breaches, the Information Commissioner's Office ((ICO) has warned.

From April 6 2010, it is expected that the ICO will be able to order organisations to pay up to £500,000 if there is a serious breach of the Data Protection Act.

Although public sector bodies are legally obliged to tell the ICO about information security slip-ups, the ICO has urged private businesses to seek its advice when a breach occurs.

Reporting incidents allows the ICO to offer guidance on how a company should proceed, and the privacy watchdog announced it has received more than 800 reports since November 2007.

A total of 195 of the 818 breaches were due to mistakes, and 262 happened because of theft, often because data was stored on a portable device.

Businesses should encrypt all devices used to transport personal information, enforce security measures and train their staff properly to reduce the risk of breaches, the ICO said.

Deputy commissioner David Smith said: "We are keen to work with organisations to prevent breaches occurring in the first place and to help put things right when things do go wrong."