The Information Commissioner's Office is expected to gain powers to fine organisations that breach data protection laws.

The Criminal Justice and Immigration Act 2008 enabled the introduction of a civil monetary penalty regime for serious breaches of the Data Protection Act 1998. Following approval by the Secretary of State for Justice, a draft statutory instrument and guidance drawn up by the Information Commissioner's Office (ICO) was presented to Parliament on 12 January 2010.

The new legislation will empower the ICO to impose fines of up to half a million pounds on organisations that breach personal data security. In order to impose a penalty, the Information Commissioner must be satisfied that a breach was serious, and will consider a number of criteria, including whether the breach caused damage or distress to individuals, and whether it was deliberate or negligent. Penalties would be payable directly to HM Treasury, and would be reduced if paid promptly.

The new regime is expected to come into force on 6 April 2010, and should prompt organisations to review their data protection procedures to ensure they comply with best practice. Loss or misuse of even small amounts of personal data can have very serious consequences for individual's security and an organisation's reputation and these penalties are likely to act as a considerable deterrent to loss or misuse on any scale. The Information Commissioner, Christopher Graham, stated that he "will not hesitate to use these tough new sanctions for the most serious cases".