short lines

Getting tough on data crime

February 2007

The Government is cracking down on theft of personal information. For the first time, people who sell or deliberately misuse others' personal data could face a prison sentence of up to two years.

The Government has been increasingly concerned about an apparent growth in the trade in personal data, which threatens to undermine its strategy to facilitate greater data-sharing within the public sector. According to Lord Falconer, Secretary of State for Constitutional Affairs and Lord Chancellor, "Greater data sharing within the public sector has the potential to be hugely beneficial to the public and is wholly compatible with proper respect for individuals' privacy. One of the essential ways of maintaining that compatibility is to ensure the security and integrity of personal data once it has been shared."[i]

At present, offenders are liable to a fine of a maximum of £5,000 if convicted summarily in a Magistrates' Court, and an unlimited fine if convicted on indictment in a Crown Court (section 60), Data Protection Act 1998 (DPA)). The Information Commissioner (ICO) has highlighted that these penalties are not a strong enough deterrent:

In May 2006, the ICO presented a report to both Houses of Parliament in which it criticised the fact that prosecutions brought under the DPA have generally resulted in low penalties: either minimum fines or conditional discharges. It recommended the introduction of a custodial sentence for unlawfully trading in confidential private information to "discourage this undercover market and to send out a clear signal that obtaining personal information unlawfully is a serious crime".[ii]
In December 2006, the ICO followed this up with a new report to Parliament.[iii] The report contained an update on reactions to the earlier report which revealed the extent of unlawful trade in confidential personal information and described the progress being made to halt such trade. It also included a list of names of some of the UK's newspapers and magazines discovered to have bought people's personal information in search of a story.

As a result, the Department for Constitutional Affairs (DCA) initiated a public consultation. The response showed strong support for custodial sentences, with the notable exception of the newspapers, which argued against on the basis that unlimited fines in the Crown Court were adequate and that the imposition of custodial sentences would be incompatible with the European Convention on Human Rights (ECHR). However, the Government concluded that the increased penalties were necessary to protect people's rights and any interference with journalists' freedom of expression (Article 10 of the ECHR) would be justified and proportionate.

On the basis of the response to the public consultation, the Government decided that section 60 of the DPA should be amended to allow, in addition to the current fines, judges to sentence convicted offenders to up to two years in prison. The Government will seek to introduce legislation as soon as parliamentary time allows (it is not yet clear when this will be).[iv]

This move is intended to provide a larger deterrent and assure the public. Information Commissioner Richard Thomas has stated that "a custodial sentence will act as a deterrent. People care about their privacy and have a right to expect that their personal details remain secure. Information obtained improperly can cause significant harm and distress."[v] However, it remains to be seen whether the courts have the appetite to add data thieves to the growing prison population.

The Government's toughening stance is a positive development for businesses worried about data misuse by insiders, but it could also inhibit sharing of personal information in the public and private sectors for fear of committing an offence. Although the consultation document provides reassurance that those who make an error of judgment will not be guilty of an offence, it will ultimately be down to the courts to interpret the new provisions.

According to the DCA, the changes are particularly designed to stop private investigators obtaining information illegally. As the ICO's report highlights, it will also apply to any newspapers and magazines that are prepared to break the rules to get a story.[vi] They should note that, increasingly, the courts are prepared to protect privacy with tougher sentences:

In December 2006, Kingston Magistrates' Court sentenced a private detective to 150 hours of community service for knowingly obtaining and selling personal data without the consent of the data controller. The convicted man systematically impersonated individuals in order to obtain their personal information from organisations such as banks and phone companies (known as "blagging"), and then sold the information through his detective agency. This was the first time that such offences were punished by any sanction other than a fine.[vii]
On 26 January 2007, the royal editor of the News of the World and a private investigator were jailed (for four and six months respectively) for conspiring to intercept telephone calls without lawful authority. The individuals had used PIN codes associated with mobile phone numbers of royal aides and celebrities to access hundreds of voicemail messages, which they trawled for interesting information. Perhaps as a sign of things to come, the Judge warned that the case was nothing to do with freedom of the press but about "grave, inexcusable and illegal invasion of privacy. Neither journalist or private security consultant are above the law."[iix]

In a separate development, the new Fraud Act (which came into force on 15 January 2007)[ix] creates an offence of failing to disclose information. As an unlooked for consequence, data controllers who fail to give a proper data protection notice could, in theory, face up to 10 years in jail. However, the view amongst experts is that jail sentences are unlikely to result from data protection failings.

Chris Hawkins

[1]DCA Press Notice

[2]What Price Privacy?

[3]What Price Privacy Now?

[4]Response to the consultation

[5]ICO Press Release

[6]What Price Privacy Now?

[7]ICO Press Release

[8]The Register Article

[9] The Fraud Act 2006