On 6 April 2010, the Information Commissioner’s Office (ICO) acquired significant new powers to fine Data Controllers that fail to protect personal data up to £500,000.

Under the first of the new powers, the ICO will be able to order organisations to pay penalties for serious breaches of the data protection principles, which may cause damage or distress to data subjects. In deciding on the level of penalty, the ICO will assess breaches according to various criteria, including the seriousness of the breach; the likelihood of significant damage and distress to affected individuals; whether the breach was deliberate or negligent; and what action the organisation had taken to prevent breaches.

In addition, the ICO has been granted new statutory powers to audit government departments without consent under the Coroners and Justice Act 2009. There is scope under this Act for the power of audit to be extended to public authorities and certain private sector data controllers.  The extension to the ICO’s powers of enforcement comes after the tariffs for registration with the ICO were increased, in part to give the ICO a ‘war chest’ enabling it to take much more action than in the past in relation to privacy breaches.

Data controllers are organisations that collect data that can be used to identify individuals and determine the purposes for, and the manner in which, such information is processed.

Further information is available on the ICO website: http://www.ico.gov.uk