The Information Commissioner's Office will be able to fine companies found guilty of breaching the Data Protection Act up to £500,000 from April 2010.
The maximum amount has just been approved by the Secretary of State for Justice, after initial provisions for the ICO to impose fines on organisations were passed in May 2008 with the introduction of the Criminal Justice and Immigration Act.
Following a public consultation on whether fines would provide the ICO with the appropriate tool to clamp down on those who wilfully ignore data protection principles, the government has proposed to set a maximum penalty of £500,000 that will come into force on 6 April.
"As citizens, we are increasingly asked to complete transactions online, with the state, banks and other organisations using huge databases to store our personal details. When things go wrong, a security breach can cause real harm and great distress to thousands of people," said Information Commissioner Christopher Graham.
"I remain committed to working with voluntary, public and private bodies to help them stick to the rules and comply with the Act. But I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law."
Justice minister Michael Wills explained that the penalties are designed to act as a deterrent, and to promote compliance with the Data Protection Act (DPA).
"Most data controllers do comply with the principles but, since misuse of even small amounts of personal data can have very serious consequences, it is vital that we do all we can to prevent non-compliance," he said.
The ICO explained that it will decide on the appropriate fine by calculating the seriousness of the data breach, the likely damage, the distress caused to individuals, whether the breach was deliberate or negligent, and what reasonable steps the organisation has taken to prevent breaches.
Factors that will also be taken into account include an organisation's financial resources, sector, size and the severity of the data breach, in order to ensure that an organisation does not go out of business as a result of the fine.
The ICO gave the example of a marketing company collecting personal data stating that it is for the purpose of a competition, and then knowingly disclosing the data for commercial purposes without informing the individuals concerned.
Simon McDougall, head of privacy and data protection at consultancy Deloitte, suggested that the tone of the new policy would be set with the first few fines.
"While the largest fines may only be dealt out to larger firms for serious breaches of the Data Protection Act, all organisations are now faced with a very real threat of significant financial penalties over and above any existing operational clean up costs and reputational damage should they suffer a breach, " he said.
However, Ewen Anderson, managing director of consultancy Centralis, argued that penalising organisations that breach data protection principles is not necessarily the right way forward.
"Private sector organisations already face loss of trust and therefore substantial loss of business if data protection breaches are exposed," he said.
"The new legislation opens up the possibility of all organisations facing financial loss as well as damaged reputations, but there is always an argument that making the penalties too severe encourages organisations to conceal rather than be open and learn from such events.
"Only by sharing best practice and experience can organisations ensure that they have cost-effective ways to ensure that data remains safely within the centralised systems and storage where it belongs."
Chris McIntosh, chief executive of hardware encryption firm Stonewood, added that the news shows that the government is taking data loss seriously, but that more needs to be done.
"In line with stronger punishments for breaches of the DPA, there must also be a stronger message from the government. Businesses have so much bureaucracy and red tape to deal with when it comes to data compliance that it is too confusing to be effective," he argued.
"Government needs to provide simple, straightforward legislation regarding the protection of personal data through encryption."
If the government doesn't like you, you'll have to walk to work
Connexin drops out of Ofcom auction due to start next week
SwiftKey users now send two billion emoji every week
Recruitment plans are 'most ambitious ever', claims Openreach HR director Kevin Brady