I'm on my way back to Cambridge after a meeting at Intellect's Russell Square offices about the new Information Commissioner and the latest from the ICO. Interesting points covered included:
- ICO will be able to impose fines from early next year for serious breaches with potential to cause substantial damage or distress (which we knew already) - but they're 'monetary penalties' and not fines because they are not criminal sanctions.
- Monetary penalties are still under consultation. ICO currently favours setting a maximum figure (rather than unlimited penalties or a percentage of turnover). The level is likely to be a 'substantial figure' (though less than £1m). Likely to go to a public consultation later this year so may still change further.
- April still the best bet for when the fines ... er ... penalties ... will be available to the ICO.
- They won't only apply to security breaches/7th principle breaches (though the ICO would have expected to be able to impose penalties on HMRC, MOD and the people behind the construction employee gaffe that all made headlines if the power had been introduced earlier).
- Also talk about compulsory audits (after 'assessment notices') for central Government (and other sectors, where extended by order).
- And data breach notification is still on the radar and still under discussion by the EC.
Comments