Data breach fines could rise to £17 million

Breaching data protection standards could carry a significantly higher fine under new powers that may be given to the Information Commissioner’s Office (ICO). The proposed Data Protection Bill raises the cap on fines from £500,000 to £17 million or four per cent of an organisation’s annual turnover, which ever is higher. The new ICO power relates to all organisations that handle EU citizens’ personal information, including police forces. The Bill will also make it a criminal offence to “intentionally or recklessly” create situations where people could be identified from anonymised data. No force has previously been fined close to £500,000 for breaching data protection standards. In May, Greater Manchester Police was asked to pay £150,000 after footage of interviews with victims of violent or sexual offences were lost in the post. The force had sent three unencrypted DVDs to the National Crime Agency by recorded delivery but they never arrived. It had previously been fined £150,000 in 2012 when an unprotected USB stick was stolen. In April 2016, Kent Police was issued an £80,000 fine when it passed sensitive details of a woman who accused her partner of domestic abuse to the suspect. Kent Police was also fined £100,000 in 2014 after leaving confidential tapes in a building that it sold to a local business. The highest fine issued by the ICO so far was £400,000 to TalkTalk after details belonging to almost 157,000 people were stolen from its website in 2015. Alongside increasing fines, the Data Protection Bill will give the public greater control over their personal data. People will receive the ‘right to be forgotten’ by asking for their information to be erased, including details posted on social media accounts when they were children. Organisations will need explicit consent to process sensitive personal information, and the definition of ‘personal data’ will be expanded to include IP addresses, internet cookies and DNA. The main provisions in the proposed Bill come from the EU’s General Data Protection Regulation (GDPR), which the Government intends to bring into UK law. It was welcomed by Information Commissioner Elizabeth Denham, who praised the benefits that “enhanced protections will bring to the public”. Digital minister Matt Hancock said: “The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world. “The Bill will give people more control over their data, require more consent for its use, and prepare Britain for Brexit. “We have some of the best data science in the world and this new law will help it thrive.” This week`s issue of Police Professional will contain a feature article by Ms Denham on how to avoid data breaches.