Tough new laws on data breaches

  • 13 May 2008

MPs have passed legislation giving the Information Commissioner the power to impose substantial fines on organisations that deliberately or recklessly commit serious breaches of the Data Protection Act.

The Criminal Justice and Immigration Act received Royal Assent on Monday creating tough new sanctions for the privacy watchdog, the Information Commissioner’s Office (ICO).

Under the legislation, anyone who processes personal information must comply with eight principles which all data processors must be aware of.

The eight principals, which all data processors must be aware of state personal information must be fairly and lawfully processed; be only used for limited purposes; be adequate, relevant and not excessive; and be accurate and up to date.

Data should not be kept for longer than necessary, and must be held securely. Anyone giving their information to be processed must be aware of their rights, and the data should be processed in line with these rights. It should also not be transferred to other countries without adequate protection.

David Smith, deputy Information Commissioner, said: “This change in the law sends a very clear signal that data protection must be a priority and that it is completely unacceptable to be cavalier with people’s personal information.

“The prospect of substantial fines for deliberate or reckless breaches of the Data Protection principles will act as a strong deterrent and help ensure that organisations take their data protection obligations more seriously.”

The change in law follows a long campaign by the ICO for more effective sanctions against organisations that fail to live up to their responsibilities under the Data Protection Act.

Under previous legislation the ICO only had powers to issue an enforcement notice against organisations in breach of the Act.

Two weeks ago, the Information Commissioner, Richard Thomas, said NHS chief executives should be personally responsible if their department or trust loses or mishandles personal information.

Smith added: “This new power will enable some of the worst breaches of the Data Protection Act to be punished. By demonstrating that the law is being taken seriously tougher sanctions will help to reassure individuals that data protection matters and give them confidence that organisations have no choice but to handle personal information properly.

“The fact that strengthening the Data Protection Act has cross party support demonstrates the growing consensus on importance of effective data protection.”

Links 

NHS chief execs may be accountable for data loss

The Criminal Justice and Immigration Act

ICO

Subscribe to our newsletter

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Sign up

Related News

Advanced fined £6m over stolen patient data in 2022 cyber attack

Advanced fined £6m over stolen patient data in 2022 cyber attack

The Information Commissioner’s Office has imposed a £6.09m fine on Advanced for failing to protect personal information during a cyber attack.
Health tech can help reframe ageing as an opportunity not a problem

Health tech can help reframe ageing as an opportunity not a problem

Edinburgh's new Global Research Institute in Health and Care Technologies is working on solutions that will enable more people to age well, writes Professor Alan…
WHO launches collaborative network for data and digital health

WHO launches collaborative network for data and digital health

WHO is bringing together its European region member states with partners for a network focused on advancing data and digital solutions in health.