David Gourlay: From paperwork to laptop dongle, data protection is vital

But, with effect from tomorrow, the dongle – and indeed any form of data storage device, including traditional paper documents – potentially becomes a major financial liability to every business.

This is because tomorrow marks the date from which the information commissioner has the power to fine any business or organisation up to 500,000 if they have committed a serious breach of increasingly onerous data protection principles.

In a nutshell, if a business misplaces or abuses personal information – whether by accident or design – in such a way as to violate the Data Protection Act, then it risks a substantial fine.

The changes have been prompted by growing concern that personal data is being misused by UK organisations. There have been longstanding concerns that the Data Protection Act did not serve as a sufficient deterrent to anyone breaching it, whether they be government departments, businesses, journalists, private investigators, tracing agents, or even police officers who misuse the police national computer system.

Businesses must now comply, or face the prospect of a fine that could be potentially ruinous for many enterprises.

In practice, the information commissioner will have the right to issue a fine if he considers:

• the breach was of a kind likely to cause substantial damage or substantial distress, and

• the breach was deliberate or the organisation knew, or ought to have known, that there was a risk that the breach would occur, and that such a breach would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent it.

Before a penalty notice can be served, the information commissioner must first issue the organisation concerned with a notice of intent. This must tell the organisation of its right to make representations about the proposed penalty.

The information commissioner may only issue a penalty notice once the period for making representations has expired. Even then, once the penalty notice has been served, the organisation can appeal to the Tribunals Service.

The information commissioner has issued guidance on how he proposes to interpret and exercise his new powers. He gives examples of serious breaches as the loss of medical records containing sensitive personal data and the loss of a CD holding personal data following a failure to take adequate security measures.

Every business and organisation holds personal information, sometimes vast amounts of highly confidential data. If that data were to be lost then it could compromise the future of the organisation and of the people that work within the organisation or indirectly as suppliers.

The onus is now firmly on businesses and organisations to protect and manage their personal information to ensure that there is no breach or loss.

Since prevention is better than cure, businesses are being encouraged to put in place a series of measures to ensure they minimise any risk of data loss and any subsequent fines. These include:

• carry out risk assessments

• implement and adhere to suitable polices, procedures, practices and processes

• adopt good governance and/or audit arrangements

• implement relevant guidance and codes of practice, such as those issued by the information commissioner

• have robust contracts in place with service provides and monitor compliance

• respond quickly to security incidents

• co-operate with the information commissioner.

Many of us will be familiar with stories of confidential files of bank customers or NHS patients being found in skips, and of the well-publicised loss by HM Revenue & Customs of millions of residents' private information. As businesses return from the Easter break, I urge that you make sure you know where your data is, and that is always under lock and key.

• David Gourlay is an intellectual property and information technology partner at law firm McClure Naismith.