About

18 Mar 2010

The consequences of non-compliance with data protection legislation are about to get a lot tougher.. New powers announced by the Information Commissioner’s Office (ICO) are expected to come into force on 6 April 2010. Under the new rules, serious personal data security breaches could lead to fines of up to £500,000 where the breach is deliberate or negligent and likely to cause substantial damage or distress to individuals. The ICO has not been able to impose penalty fines directly before, although fines through the courts have been possible.

Examples of incidents that may lead to a fine under the new powers are set out in guidance issued on 12 January. They include failing to take adequate security measures such as encrypting data. An organisation that does not encrypt materials stored on portable devices, or does not know how many laptops it loses, may have a hard time explaining itself.

Alarm bells might also start to ring when employers read in the guidance that substantial damage could occur when inaccurate data is disclosed in a work reference resulting in the loss of a job offer.

Whether a breach will lead to a penalty for an organisation – and how much the penalty will be – are determined by:
- an organisation’s financial resources and the industry sector it is in;
- the severity of the breach;
- whether the consequences were down to factors outside the organisation’s control;
- the kind of preventative measures the organisation took or may have taken.

The ICO has indicated it will adopt a “proportionate” approach – so attempts to comply will be highly relevant, both to whether a fine is imposed at all and, if so, how much it will be.

Employers must ensure that appropriate security measures are in place to prevent harm caused by unauthorised or unlawful processing of personal data or accidental loss, destruction or damage of that data. This includes taking reasonable steps to ensure the reliability of any employees accessing the personal data. If a third party is processing the data on the organisation’s behalf, the employer must also ensure that the external organisation has suitable security measures in place.

HR and legal departments are only two of the organisational stakeholders; compliance requires a multi-disciplinary approach, and is likely to involve facilities management, IT, and compliance functions. Since security breaches commonly result from employee action or inaction, or lack of training, HR clearly has an important role to play in ensuring that employees understand their obligations. It can do this through training and awareness schemes, and by capturing and endorsing company-wide best practice in a range of processes and procedures.

HR professionals have specific obligations in relation to how employee data is kept and shared. When a laptop, CD or memory stick is lost, ICO criticism will follow if too much information was on it that need not have been there.
Employees need clear instructions on how much employee data should be taken off site on portable storage media. Managers should not be given access to data simply because they are senior. Appropriate employees should be trained in dealing with requests for personal data that come in over the phone or internet.

HR also needs to check home workers’ arrangements for protecting data, and vet third parties with access to personal data, whether they are self-employed contractors or temporary workers.

Key points
- From 6 April, the ICO can fine organisations up to £500,000 for breaching data protection principles.
- Penalties will depend on the organisation’s finances, the seriousness of the breach, and the measures taken to prevent it.
- Preventative steps include checking the reliability of those accessing data, training, locks and encryption.
- Organisations should appoint data protection champions to drive compliance initiatives.

More News Articles