Privacy watchdog to have power to fine £500,000

Graham: will not hesitate to use these tough new sanctions for the most serious cases

Organisations that lose people's personal data will be liable for fines of up to £500,000 from April, according to the privacy watchdog.

The top fine will only be issued in the most severe cases, the Information Commissioner's Office (ICO) said in a statement yesterday.

Before issuing the fine the ICO will take into account the seriousness of the data breach, the likelihood of substantial damage and distress to individuals, whether the breach was deliberate or negligent, the size of the organisation and what reasonable steps it has taken to prevent breaches.

Information Commissioner Christopher Graham said:

"I remain committed to working with voluntary, public and private bodies to help them stick to the rules and comply with the Act. But I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law.”

The ICO has produced statutory guidance about how it proposes to use this new power, which has been approved by the Secretary of State for Justice, and has been laid before Parliament today.

Examples of a breach that might incur the top fine include the loss of financial data that leads to identity fraud, loss of sensitive medical details, or the passing on of data given in good faith for commercial reasons without consent.

If the ICO receives full payment of penalty within a month of the notice being served, the penalty will be reduced by 20 per cent.

The watchdog has long been calling for increased fines under previous commissioner Richard Thomas. Gordon Brown promised to give it new powers to fine and inspect organisations after HM Revenue & Customs lost the financial details of 25 million families in 2007.