Data Protection: Information Commissioner’s Office gets teeth

30 January 2012 |

The Information Commissioner’s Office has been granted new enhanced powers

£500,000 fines proposed for serious data protection breaches

From 6 April 2010, it is intended that the Information Commissioner’s Office (“ICO”) will have a new power to fine companies up to £500,000 for serious breaches of the Data Protection Act 1998 (“DPA”).  Following a public consultation, the Secretary of State for Justice has approved the maximum fine, is designed to address wilful breaches of the DPA.

Before deciding whether to impose the maximum penalty, the ICO must be satisfied that:

  • the breach was sufficiently serious;
  • the data controller knew (or should have known) that the breach may occur and that substantial damage and distress was likely to have been caused; and
  • despite this, the data controller did not take reasonable steps to prevent the breach.

Discretion to assess the level of a fine will rest with the ICO and it has confirmed that it will take a pragmatic and proportionate approach.  A company’s financial resources, sector and size will be considered to avoid financial hardship.  There will be an appeal process to challenge the imposition, or size, of a fine.

Statutory guidance has also been produced to set out details of the circumstances in which fines will be issued by the ICO and how the level of fines will be determined.

Increased enforcement powers

The ICO is responsible for monitoring and enforcing compliance with legislation covering data protection.  Following several high-profile data protection breaches in the private and public sectors, the Coroners and Justice Act 2009 (“CJA”) will amend the DPA to give the ICO new audit and inspection powers, including:

  • the right to serve an “assessment notice” on a data controller to assess whether it is has complied or is complying with the data protection principles;
  • where a data controller does not comply with the time scales or required period for compliance set out in an assessment notice, the ICO has been granted the power to apply for warrant to enter and inspect any premises stated in the notice.

The CJA amends the DPA to require the ICO to publish a code of practice on the use of assessment notices.  In addition, the ICO is required to issue a code of practice on data sharing.  This code will not have the force of law, but it will serve as a yardstick against which data controllers’ compliance with the data protection rules can be assessed.

A commencement date for these provisions has yet to be announced.


The ICO has long campaigned for greater enforcement powers, on the back of its ongoing name and shame programme.  Originally, it envisaged that such audit powers would apply only to public sector organisations.  However, the new audit powers now extend to both public and private sector organisations.

In light of the proposed new and substantial penalties and the increased enforcement powers to be granted to the ICO, employers in all sectors should undertake health checks to review their data protection policies and practices.  Employers must ensure that they are complying with the data protection principles on a day to day basis to minimise the risk of being fined for any such breaches should the ICO decide to visit an organisation, and exercise its audit powers, in the coming future.


The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010

The draft Data Protection (Monetary Penalties) Order 2010

ICO statutory guidance on monetary penalties

For further information or to discuss the issues raised, please contact Guy Abbiss ( or Colina Greenway ( on +44 (0) 203 051 5711.


Content is for general information purposes only. The information provided is not intended to be comprehensive and it does not constitute or contain legal or other advice. If you require assistance in relation to any issue please seek specific advice relevant to your particular circumstances. In particular, no responsibility shall be accepted by the authors or by Abbiss Cadres LLP for any losses occasioned by reliance on any content appearing on or accessible from this article. For further legal information click here.

Related content

13 June 2024
How to apply for certificate of residence in the UK
Where an individual is resident in the UK and has…
29 May 2024
UK Share Plan Reporting 2024: Everything you need to know
The deadline is approaching for the HMRC’s annual return filings…
20 May 2024
Employee Share Plan Reporting 2024: Alerting Your Clients
The UK tax authorities’ (HMRC) submission deadline for annual return…
Subscribe to our newsletter
Stay up to the minute on our latest news and insights?
International reach

We have helped clients meet their HR needs in over 70 countries across five continents.