Further calls for custodial sentences for serious data breaches

Image3Two cases have come to light highlighting the urgent need for custodial sentences for those who unlawfully obtain or disclose personal information. We have warned about the effects that lax attitudes to data protection has, highlighting that the seriously low rates of punishments and shockingly low fines that are handed out do little in deterring those that seek to illegally access and share personal information.

We have repeatedly called for the government to introduce custodial sentences for those found guilty of an offence under section 55, where personal data is obtained unlawfully. This stance is echoed by the Information Commissioner’s Office, the Home Affairs Select Committee, Lord Leveson, the Joint Committee on the draft Communications Data Bill and the Justice Select Committee. The fact that unlawful breaches of section 55 are not recorded on a criminal record, coupled with the low fines handed out, means that some personnel trusted with our personal information continue to abuse that trust.

In one case, an ex Barclays employee was prosecuted under section 55 of the Data Protection Act and fined £2,990 for 23 offences, that is a mere fine of only £130 per offence being handed out per offence. The individual was reported after a customer reported that information about his account had been passed to their partner. Tellingly, the accused admitted to illegally accessing the customer’s details 22 times over a three month period, despite being fully aware that she was breaking the law by doing so.

In another case, it was announced that the ICO will be investigating 19 blue-chip clients of corrupt private investigators, including law firms, financial organisations and insurance companies, for allegedly unlawfully obtaining personal information on up to 125 victims. The ICO has spent two weeks trawling through 31 files of invoices, notes and reports that were originally seized by the Serious Organised Crime Agency during an investigation that began in 2008. SOCA’s officers are accused of knowing that private investigators had committed serious criminal offences, including computer hacking, from as far back as 2006 yet they took no action. The ICO has raised concerns that this “seven year dither” may allow the clients to escape prosecution.

The ICO has called for stricter punishments for data breaches, including the threat of prison. We call on the government to act to introduce tougher penalties for individuals who illegally access and disclose personal information. Without much tougher penalties that are enforced by the courts, these incidents will certainly not be the last data breaches that comes to light.