Ministers told laws on data protection breaches too soft


Cahal Milmo
Wednesday 12 February 2014 18:56
Christopher Graham gives evidence to the House of Commons’ Home Affairs Select Committee
Christopher Graham gives evidence to the House of Commons’ Home Affairs Select Committee

The data watchdog has warned ministers that staff at blue-chip companies, including leading law firms, suspected of illegally obtaining personal information will escape jail if convicted of criminal offences because of their failure to enact legislation.

Christopher Graham, the Information Commissioner, told MPs there is a “weakness” in sanctions available to courts because the Government has failed to bring into force an existing law, which would allow custodial sentences for the most serious breaches of data protection laws.

At present, the maximum sanction for breaking the law is an unlimited fine for a criminal offence and a £500,000 fine for a civil breach. In practice, the penalties imposed are far lower.

Mr Graham said fines of £4,000 imposed in a recent case against a firm which “blagged” the home addresses of members of the public were “embarrassingly small” after a four-year investigation costing nearly £200,000. He added: “It is an expensive business and the penalty doesn’t fit the crime.”

He was speaking as the Information Commissioner’s Office (ICO) confirmed it had this week commenced action against four out of ten British firms where it has found “significant” documentary evidence of potential criminal breaches of the Data Protection Act (DPA) by issuing the companies with notices requiring them to surrender documentation.

The development is the latest stage in Operation Spruce, the ICO investigation sparked by revelations in The Independent that the now-defunct Serious and Organised Crime Agency (SOCA) failed to take action on dozens of files implicating leading companies, including legal firms, insurance companies and finance houses, as clients of a group of criminal private investigators.

Investigators are trying to establish whether lawyers, security companies, insurers and retailers deliberately breached the law in using private investigators who deployed illegal methods to obtain information from bank records to mobile phone bills on their behalf.

Giving evidence to the House of Commons’ Home Affairs Select Committee, Mr Graham said the inquiry had found evidence of “criminal and civil breach” of the DPA, which safeguards individuals’ private data. But he said insufficient powers of sentence for criminal offences, limited to a £5,000 fine in magistrates’ courts and open-ended fines in the crown court, were failing to provide an adequate deterrent.

He said: “I just think unless people feel ‘I could go to jail for this’, we are not going to get very much further. I could investigate and we will investigate… but I have to face the fact that it’s possible [convicted individuals or companies] would simply be looking at fines, and fairly modest fines.”

The commissioner said he would like to see ministers bring into force a 2008 amendment Section 55 of the DPA, a key part of the legislation which would provide custodial sentences ranging from jail to probation for the criminal procurement or disclosure of personal information.

He added: “Parliament needs to put pressure on ministers to commence the possibility of a custodial sentence. It is a law that [MPs] have already passed but it’s a question of getting ministers to press that button.”

Justice Secretary Chris Grayling announced last year that he was consulting on introducing custodial penalties for Section 55 offences after Lord Justice Leveson made the move one of the recommendations of his report into press standards.

Mr Graham said investigations were continuing into eight non-British firms, most of them understood to be based in America, where evidence had also been found of potential criminal wrongdoing. He will travel to Washington DC in March for talks which could lead to an investigation by the FBI.

He added that it will take up to eight further months before a decision is taken on whether prosecutions will be brought in Britain.

A spokeswoman for the Ministry of Justice said: "The Government regards breaches of the Data Protection Act as a serious issue. In the last few weeks we have begun to review the sanctions available for breaches of the Act so we can decide whether to increase the penalties as the law permits."

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

View comments