Data Protection offences - Proposed Custodial Sentences

Richard Fox looks at the exploitation of personal data sharing, and discusses the Department of Constitutional Affairs' plans to introduce custodial sentences to deter those who seek to profit from the illegal trade in personal information.

 

The Department of Constitutional Affairs plans to introduce custodial sentences for data protection offences; offenders may face a prison sentence for the unauthorised disclosure of personal information. The DCA's Consultation Paper on increasing penalties for deliberate and wilful misuse of personal data (CP 9/06), make it clear that the proposed custodial sentences are aimed at those responsible for large scale abuse of personal data and businesses’ owners (and/or its employees) engaged in such activity may receive a custodial sanction.

 

Background

Currently, data protection offences are punishable on summary conviction by a fine not exceeding the statutory maximum (currently £5,000) or by an unlimited fine on indictment. For example, in detailing the money which can be made in illegal transactions, the ICO's report refers to an instance of a single person invoicing other organisations for up to £120,000 per month for positively tracing the whereabouts of individuals. The DCA impliedly suggests that those engaged in such a potentially profitable trade will only be deterred by the prospect of a custodial sentence.

 

Data Protection Offences

The relevant offences are set out in s 55 of the 1998 Act. Section 55(1) makes it an offence to obtain, disclose or procure the disclosure of personal information knowingly or recklessly without the consent of the data controller (ie, the business).

 

Under s 55(2), obtaining/disclosing or procuring without the consent of the data controller will not be an offence if the person can show that it was necessary for the prevention or detection of crime or if it was required or authorised by statute, rule of law, or court order. Furthermore, a person will not be found guilty of the offence if he can show that he acted in the reasonable belief that he had a right in law to act as he did, or that he would have had the consent of the data controller if they had known of the circumstances of the disclosing, obtaining or procuring. For example, a person will not be guilty if he is deceived into releasing the information and he was, at the time, acting in the reasonable belief that he had the right in law to release the information to that particular person. It is also a defence to show that the obtaining/disclosing or procuring was in the public interest.

 

There is a further offence under s 55(4)–(8) of selling or offering to sell personal data which has been (or subsequently is) obtained or procured knowingly or recklessly, without the consent of the data controller. The DCA reminds us that an advertisement indicating that personal data may be available for sale constitutes an offer to sell data. It also states that a person who wilfully obtains personal information by deception, ie 'blagging' personal information from a bank or individual data controller, would be guilty of this offence. Likewise, an employee who knowingly obtained personal information from the employer's records relating to another and sold it to a journalist would be guilty of this offence. However, the DCA states that it is unlikely that employees who mistakenly release information to 'blaggers' would be guilty of an offence, ie if they were at the time of releasing the information, acting in the reasonable belief that they had authority in law to act as they did.

 

Proposed Penalties

With the aim of deterring people from trading in personal data, the DCA proposes to amend s 60 to allow, on conviction of any offence under s 55, for up to six months' imprisonment (which will be extended to up to 12 months' imprisonment when s 154 of the Criminal Justice Act 2003 comes into force) on summary conviction and/or a fine of up to £5,000; and up to two years' imprisonment on indictment and/or an unlimited fine.

 

Comment

Richard Fox comments as follows: The DCA acknowledges that custodial sentences are the ultimate deterrent sentence, but it is confident, in the light of the ICO's findings, that the ultimate deterrent is now called for considering that the stakes in personal information are so high. Mass communications and ever increasing bandwidth and broadband speeds have made the trade in personal data particularly lucrative, although just how lucrative has not been fully appreciated until fairly recently.

 

The DCA, in this context, makes its case quite clearly. Less obvious is the veiled warning contained in the Consultation Paper to large corporations who may be tempted into participating in the trade in personal information by the benefits of sharing personal data accruing from reduced administrative costs and targeted marketing. This is perhaps because the DCA harbours more particular concerns over the opportunities for those seeking to trade in the personal data that is held and exchanged in vast quantities in the public sector.

 

In order to avoid current criminal penalties, investigation by the Information Commissioner’s Office and adverse publicity, business should take legal advice and ensure that they have all of the necessary data protection measures and policies in place, in order to ensure that it and its staff are not in breach of current and future law, especially prior to sharing or trading in personal information.