In May 2008 the privacy watchdog, the Information Commissioner’s Officer (ICO), was given the power under the Criminal Justice and Immigration Act to impose substantial fines on organisations that deliberately or recklessly commit serious breaches of the Data Protection Act.

Whilst the ICO anticipates that the change in law will send a very clear signal that it is unacceptable to be cavalier with people’s personal information, the power to fine organisations for data protection misdemeanours will not be vested in the ICO until 2010. Cross political party support to strengthen the Data Protection Act demonstrates the growing consensus for effective data protection with a desire for organisations to live up to their responsibilities following a number of unacceptable security breaches last year. It comes as a huge disappointment to the ICO that the power will not be vested until 2010. This is particularly in light of the ICO issuing five recent warnings to NHS trusts for data protection breaches. The timing of this set-back unfortunately coincides with the recent appointment of a new commissioner. It is hoped that this is not reflective of the new commissioner’s term in office.