Skip to main content

Jail Sentences for Data Protection Offenders


The House of Commons' Home Affairs Select Committee are encouraging the Home Secretary to introduce jail sentences as a possible punishment for data protection offenders. This is to act as a stronger deterrent than the current, quite ineffective fines. 

It is generally unlawful for a person to "knowingly or recklessly without the consent of the data controller obtain or disclose personal data or the information contained in personal data, or procure the disclosure to another person of the information contained in personal data", under Section 55 of the Data Protection Act (DPA). But now, personal data has never been easier to access and the risks of information being leaked are an increasing concern. There are many new suppliers of information who are unlikely to understand or take notice of the rules to which they must comply.

While the maximum fine for committing a section 55 offence is £5,000 when the case is heard in a Magistrates Court, and unlimited when tried in a Crown Court, the typical fine is generally no more than £100. This is not sufficient to act as a deterrent, say the Home Affairs Select Committee. They are recommending that penalties are strengthened by use of the Home Secretaries power under section 77 of the Criminal Justice and Immigration Act 2006. As the Justice Committee did last year, the Home Affairs Select Committee suggest jail sentences to be put in place for data protection offenders. The Information Commissioner has stated that the current "chicken feed fines" are unable to act as strong deterrents for individuals unlawfully accessing or sharing information.

The Criminal Justice Act states that new regulations can be introduced by the Justice Secretary, allowing for custodial sentence penalties to be given to offenders of Section 55 of the DPA. Unfortunately, such powers have not been exercised, despite overwhelming support following a Government consultation in 2006 on "increasing penalties for wilful misuse of personal information", according to the Information Commissioner's Office (ICO).

Specifically, there is concern about the unlawful obtaining of information by both private investigators and private investigation firms. MP’s are saying that both should be regulated by a new Security Industry Authority and that they must comply with a new Code of Conduct for Private Investigators.

MPs are also calling for Private Investigators to be required to have a licence. If they fail to comply with the regulations, individuals should have their licence suspended, should be barred from "engaging in investigation activity" and face "meaningful penalties for the worst offences." This code of conduct would apply also to sub-contracted and part-time investigators. MPs said such a licensing and registration regime could be put in place before the end of 2013. 

Another step the Parliamentary committee are hoping would improve data protection security is the separating of the private investigators and the police forces. Any contact between the parties should be carefully documented. What’s more, a ban should be put in place to prevent police officers working in private investigation for at least a year.

MPs have also recommended the merging of the functions of Information Commissioner, the Chief Surveillance Commissioner and the Interception of Communications Commissioner. This would form the new 'Office of the Information and Privacy Commissioner'. Working as one unit could be a step forward in the protection of individuals’ private data.


Brian can be contacted at Stone King, Solicitors.  For further news and information on legal topics of interest, please visit Brian's other blogs:

 

Comments

Popular posts from this blog

ICO imposes fine of £250,000 for data protection breach by Scottish council

A Scottish council hired a man known as ‘GS’ to “digitise” its employees’ pension records with no written contract in place between the Scottish council and GS containing the data processing and security requirements specified by the Information Commissioner’s Office (ICO).   Files containing Council employees’ names, addresses, national insurance numbers and, in some cases, individual’s salary and bank account details, had been dumped in a supermarket’s recycling bank and found by a member of the public.   In its civil monetary penalty notice, the ICO said that approximately 8,000 pension records, some of which included details of ill health benefits, had been digitised by GS.  GS would send to the council by standard post unencrypted discs containing the information.  It said that the council was unaware that GS was disposing of the paper records in recycling banks.   The ICO said in its civil monetary notice “ The Commissioner is satisfied that the contravention w

Cloud Service Providers Now Subject To Scrutiny Of Assurance Registry

After mounting concerns relating to the security of cloud computing, a new online platform is to enable users to assess the security features of registered cloud providers. The Security, Trust & Assurance Registry (STAR) hopes to encourage providers to improve their data protection security thanks to this increased transparency, as well as aid organisations using the providers to comply with data protection laws. The Working Party drew attention to firm’s lack of control over customer’s personal data when using cloud services. As cloud computing uses an internet based network in place of local computing resources, they stated that there is risk of "loss of governance, insecure or incomplete data deletion, insufficient audit trails or isolation failures," by organisations using these providers.          Operated by not-for-profit body the Cloud Security Alliance (CSA), STAR hopes to limit such risks to data protection. The CSA’s members include Google, Microsoft and m

Thirteen Point Guide to the General Data Protection Regulation (GDPR)

The General Data Protection Regulation (“ GDPR ”) will come into force and apply to all EU member states from 25 May 2018. The UK’s decision to leave the EU will not affect the commencement of the GDPR. It contains eighty-eight pages, 99 articles and 173 related recitals and is therefore no small piece of legislation. Overall, the principles under the GDPR are similar to those under the current Data Protection Act. However, there are new elements and significant enhancements; particularly in relation to accountability. The GDPR puts the onus on organisations to show how it complies with the data protection principles and there is a greater emphasis on documenting specific activities. Other  key changes  to be aware of include: Wider scope of application  – certain definitions under the GDPR have been broadened, for example, the definition of “personal data”. Higher penalties  – the GDPR introduces tougher sanctions, including administrative fines for non-com