New powers to issue monetary penalties will come into force on 6 April 2010, allowing the Information Commissioner’s Office to serve notices requiring organisations, including FE and HE institutions, to pay up to £500,000 for serious breaches of the Data Protection Act. The Commissioner may impose a monetary penalty notice if a data controller has seriously contravened the data protection principles and the contravention was of a kind likely to cause substantial damage or substantial distress. In addition the contravention must either have been deliberate or the data controller must have known or ought to have known that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it.
Guidance on how the new power will be exercised is available on the ICO's website.