The Information Commissioner will be able to impose fines of up to £500,000 for serious breaches of the Data Protection Act 1998 (the DPA) under draft legislation laid before Parliament. The new powers would apply from 6 April 2010 in respect of any "data controller" – that is, any body which determines how and why personal data is processed. If passed, the new legislation will represent a significant advance in the Commissioner's powers to deal with breaches. Until now these have been limited to issuing enforcement and information notices, inspecting data controllers' premises, and bringing criminal proceedings for certain offences only (with a potential fine of up to £5,000 in a Magistrate's court or an unlimited fine in the Crown court). A data controller can additionally be sued by an individual who has suffered damage or distress as a result of its breach, although in practice such cases are rare.
From April, where there has been a "serious contravention" of any of the data protection principles of the DPA which is "likely to cause substantial damage or substantial distress", the Commissioner could fine the data controller as much as £500,000 if that controller either deliberately contravened the DPA, or the controller knew or ought to have known that there was a risk of contravention and that it would be likely to cause substantial damage or distress but still failed to take reasonable steps to prevent it.
The Information Commissioner's Office has published statutory guidance, including practical examples, on the circumstances in which a monetary penalty notice would be issued, and how the amount of the penalty would be determined, at http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/ico_guidance_monetary_penalties.pdf. An example would be where a company was warned by its IT department that its employees were accessing individuals' medical records (which, if made public, could cause those individuals anxiety and/or financial loss), yet the company failed to implement an appropriate policy of, for example, encrypting the relevant IT systems. The Commissioner would first serve a notice of intent on the data controller stating (among other details) the grounds on which the Commissioner proposed to impose a fine, the amount of that fine, the basis on which that amount was determined and the period (which must be at least 21 days) during which the data controller can make written representations against the proposed fine. Having taken those representations into account, the Commissioner will then, if it is still appropriate to do so, issue the data controller with a monetary penalty notice which, in addition to re-stating or amending the information given in the notice of intent, will tell the data controller how it can either pay or appeal against the fine.