Stakes rise for data mishandling

In April a new hazard was introduced for organisations which mislay personal data. The Information Commissioner has gained the power to levy a fine up to £500,000 on any organisation which either deliberately or negligently releases data improperly, resulting in substantial damage or distress to the 'data subject.'

Schools and colleges are potentially at risk of losing data: not only by unencrypted laptops and memory sticks being taken off premises and left in cars or on trains and buses but also from markbooks and memos that may fall out of them.

The test of negligence will be that the 'data controller' knew, or ought to have known, that the system was faulty and that it was more likely than not that harm would be caused, but failed to ensure that reasonable security measures were in operation.

Although the fines are intended to be both a sanction and a deterrent, the commissioner has said he will only impose the maximum fine in the worst cases and will consider the sector the offender is working in, the size of the organisation and its resources. He will not impose sanctions that will cause hardship or impose them on an otherwise responsible data controller for a single lapse. There is a right of appeal against fines to the tribunal service.

The fact that the consequence of carelessness may mean financial penalties - as well as the embarrassment and loss of parental confidence that has been the penalty in the past - is a nudge to schools and colleges to check that their policies are appropriate and are adhered to.