It has been reported that the Information Commissioner’s Office (ICO) has reduced fines for organisations who have breached data protection law, in over half of the cases that it has issued direct fines.
Since April 2010 the ICO has had the power to issue monetary penalty notices, up to the value of £500,000, for serious breaches of the Data Protection Act (DPA). Over the last two years, the ICO have issued 14 penalty notices, although the highest has been £140,000 – and this was issued in January of this year.
The Information Commissioner’s Office is obliged to issue notices indication to organisations responsible for the data what penalty, if any, the ICO considers appropriate for the breach. However, it can decide to alter or withdraw the proposed penalty in final determination, if representations made by those organisations persuade it to do so.
Following a freedom of information request relating to the first ten cases, the ICO said that on five occasions they have issued final penalty notices which were lower than they had originally proposed.
They also admitted that one was reduced by almost 100% because the organisation involved had claimed bankruptcy, but in the other cases the average reduction was 20%.