From 6 April 2010, the Information Commissioner may impose a civil monetary penalty of up to £500,000 for serious contraventions of the data protection principles
In order for the penalty to apply, the contravention must have been likely to have caused substantial damage or substantial distress. In addition, the data controller concerned must either:
Have deliberately carried out the contravention.
Have known - or ought to have known - that there was a risk of the contravention occurring. In these circumstances, they must also have known – or ought to have known - that the contravention was likely to cause substantial damage or distress, but they had failed to take reasonable steps to prevent it.
When you and/or your employees process personal information, you have a duty to comply with the data protection principles. These are to ensure that the personal data you hold is:
kept secure
processed fairly and lawfully
adequate, relevant and not excessive
processed in line with the rights of individuals
accurate and, where necessary, kept up to date
processed for one or more specified and lawful purposes
kept for no longer than is necessary for the purpose for which it is being used
not transferred outside the European Economic Area unless adequately protected