Winchester Vacancies

Minister rejects calls for early introduction of custodial offences for data breaches

The government should exercise its powers “without further delay” to introduce custodial sentences for people guilty of serious data protection offences, an influential group of MPs has said.

However, Lord McNally, a junior minister at the Ministry of Justice, rejected the calls from the Justice select committee, saying the government would wait until the outcome of the Leveson inquiry before taking action.

Section 55 of the Data Protection Act makes the knowing or reckless obtaining, disclosing or procuring the disclosure to another person of personal data a criminal offence, which includes so-called “blagging”. But the only available penalty is a fine.

In a report issued today after hearing evidence last month from Information Commissioner Christopher Graham, the committee said it accepted the ICO’s argument that the issue of custodial sentences for s. 55 offences was “not exclusively, or even primarily, an issue relating to the media”.

The issue should therefore be dealt with by Parliament without waiting for the outcome of Lord Justice Leveson’s inquiry, the MPs said.

Graham told the committee last month that it “beggars belief that – in an age where our personal information is being stored and accessed by more organisations than ever – the penalties for seriously abusing the system still do not include the possibility of a prison sentence, even in the most serious cases.”

The MPs said they shared the Commissioner’s concern and dissatisfaction. “Currently the only available penalty is a fine, which we feel is inadequate in cases where people have been endangered by the data disclosed, or where the intrusion or disclosure was particularly traumatic for the victim, or where there is no deterrent because the financial gain resulting from the crime far exceeds the possible penalty,” they added.

The select committee also called for the ban on referral fees not to be limited to personal injury cases.

“We hope that when implementing the ban, the government will take into account the fact that referral fees reward a range of practices that are already illegal,” they said. “Banning referral fees, together with custodial sentences for breaches of s. 55 of the Data Protection Act, would have the twin effect of both increasing the deterrent and reducing the financial incentives for these offences.”

The committee expressed concern at the Commissioner’s lack of inspection power, which it said was limiting his ability to investigate, identify problems and prevent breaches of the Data Protection Act. The problem was particularly acute in the healthcare and insurance sectors.

The ICO has only carried out three or four audits a month, even though such audits are free. None involved insurance companies.

The MPs said they agreed with the Commissioner that limits to his powers to compel audits were constricting his power to investigate.

“We call on the Ministry of Justice to work with the Information Commissioner to assess how the current system is working, and to consider why he has not formally requested the power to compel audits in any additional sectors and whether this process is unduly cumbersome,” the committee said.

“Following this the government should consider the best way to ensure the Commissioner can investigate in a timely manner while minimising the regulatory burden on both the public and private sectors.”

In a response annexed to the committee’s report, Lord McNally acknowledged that Graham was right to say that s. 55 offences were not limited to the media and the pursuit of celebrities’ personal data, and that recent prosections showed the activity could affect those who had never sought to be in the public eye.

“Nonetheless, this is a matter which we anticipate that Lord Justice Leveson’s inquiry into the culture, practices and ethics of the press may well want to look at,” he said.

The minister said the remit for the Leveson inquiry specifically included looking at the media regulatory framework in relation to data protection. Lord McNally also pointed out that there was a statutory duty to consult the media before making an order under s. 77 of the Criminal Justice and Immigration Act (which would introduce custodial offences).

“The government will therefore want to look at what the Leveson inquiry recommends on these questions before deciding what action to take,” the minister said, although he insisted that this did not mean the government was disregarding the issue in the meantime.

Lord McNally argued that there may be other ways of making the illegal trade in personal data less lucrative, such as using the Proceeds of Crime Act 2002 (used against two former employees of T-Mobile who sold customer data).

“It is also important to bear in mind the wider landscape governing the activity,” the minister said. “In many case, a section 55 offence may be committed as part of a course of criminal conduct which involves the commission of other offences.”

These include the unlawful interception of communications under the Regulation of Investigatory Powers Act 2000, the unauthorised access to computer material under the Computer Misuse Act 1990, and dishonestly making a false representation with a view to financial gain under the Fraud Act 2006. Lord McNally also pointed to offences under the Bribery Act 2010.

The minister said he would consider consulting on whether to widen the Commissioner’s powers to compel organisations to undergo an audit, should Graham request such a designation.

But he added that a new instrument on data protection was currently being considered at EU level and a proposal was expected from the European Commission shortly. The Commissioner’s powers would almost certainly be considered in this context, the minister said.

On the issue of referral fees, Lord McNally highlighted the efforts of a working group – including the ICO and the Ministry of Justice’s Claims Management Regulation Unit – established to tackle unsolicited text messages and automated telephone calls marketing claims management and debt management services.

He added that the MoJ and the ICO were separately in the process of agreeing a memorandum of understanding to allow them, through sharing information and intelligence, to work together to tackle data misuse by authorised claims management companies.

Philip Hoult