From 6 April 2010, the Information Commissioner may impose a civil monetary penalty of up to £500,000 for serious contraventions of the data protection principles.
In order for the penalty to apply, the contravention must have been likely to have caused substantial damage or substantial distress.
In addition, the data controller concerned must either:
- Have deliberately carried out the contravention.
- Have known - or ought to have known - that there was a risk of the contravention occurring. In these circumstances, they must also have known – or ought to have known - that the contravention was likely to cause substantial damage or distress, but they had failed to take reasonable steps to prevent it.
You are reminded that, when you and/or your employees process personal information, you have a duty to comply with the data protection principles. These are to ensure that the personal data you hold is:
- kept secure
- processed fairly and lawfully
- adequate, relevant and not excessive
- processed in line with the rights of individuals
- accurate and, where necessary, kept up to date
- processed for one or more specified and lawful purposes
- kept for no longer than is necessary for the purpose for which it is being used
- not transferred outside the European Economic Area unless adequately protected
Download guidance on monetary penalties for serious data-protection breaches from the Information Commissioner's Office (ICO) website (PDF, 263K) - Opens in a new window
Data protection guidance on the Information Commissioner's website - Opens in a new window
Posts
No comments:
Post a Comment