Recently I read two news stories on the same day. The first concerned EU proposals for tighter data protection laws. These included powers to impose fines of 1m or 2% of annual turnover on organisations that failed to protect the information they hold about people.
In Britain, the Information Commissioner’s Office already has powers to impose fines of Â£500,000 for data loss. Last year, the average penalty imposed was just over Â£77,000.
The other story I read concerned a 41 year old man who was operating a die-cast machine when 650ÂºC molten metal sprayed from the back of it, causing serious burns to his right arm, shoulder, leg and face. He was was unable to work for two months and continues to receive treatment for his damaged skin.
Magistrates were told there had been three similar incidents at the factory “ one of which caused serious injuries to another employee just seven months earlier. Despite this, and the fact that a risk assessment had identified the danger, nothing had been done to reduce the risks.
Inevitably the employer was found guilty of breaching health and safety laws. And the penalty? A reducedÂ fine of Â£6,000 following a plea of “financial difficulty”.
Now this is just one case, but reports suggest that the average fine for breaches of health and safety laws is around Â£24,000 for HSE (Health & Safety Executive) prosecutions and just Â£8,000 for local authority prosecutions.
In 2005, the last time the HSE reported average fines imposed following deaths at work, the average fine following a fatality was Â£30,000. Subsequent research suggests this has risen to between Â£50,000 and Â£100,000. So that’s about the same as the average fine imposed for loss of data.
Loss of life or loss of data. What’s more valuable?
People’s data is important and it’s right it should be adequately protected. But when it comes to penalties, isn’t it time we asked – have we got our priorities right?