You are here: Parliament home page > Parliamentary business > Publications and Records > Hansard > Commons Debates > Public Bill Committee Debates > Public Bill Committee

Memorandum submitted by the Information Commissioner (CJ&I 398)

 

 

The Information Commissioner promotes compliance with and enforces the Data Protection Act 1998 (the Act) which regulates the way organisations handle and use information about individuals. Protecting the privacy of individuals is at the heart of the Act.

 

Respect for privacy is one of the foundation stones of the modern democratic state. It is enshrined in the European Convention on Human Rights and is directly enforceable in UK courts through the Human Rights Act 1998. Failure to respect an individual's privacy can lead to distress and in some circumstances mental, physical and financial damage. At a time of increasing information sharing within and between the public and private sectors it is essential that the shared information is kept secure and that individuals trust that their privacy will be properly protected.

 

Section 55 of the Act makes it an offence to obtain, disclose or procure the disclosure of confidential personal information knowingly and recklessly without the consent of the organisation that holds the information. In May 2006 the Information Commissioner presented a special report[1] to Parliament which exposed an extensive and lucrative illegal trade in confidential personal information. At the centre of the trade were networks of middlemen, often involved or associated with the private investigation industry, and their clients included private individuals, the press, finance companies, insurers and local authorities. The suppliers and, in many cases, the customers involved in the trade were committing the offence at Section 55 of the Act.

 

People care about their personal information and have a right to expect that their personal details are and should remain confidential. Who they are, where they live, who their friends and family are, how they run their lives and their health and wellbeing; these are all private matters. Individuals may choose to divulge such information to others or an intrusion into their privacy may be necessary in the public interest and allowed under law, but information about them which is held confidentially should not be available to anyone prepared to pay the right price.

 

The report demonstrated that the current penalty regime is too weak, often resulting in a derisory fine or conditional discharge which has not succeeded in stemming the illegal trade in confidential personal information. Furthermore the low penalties devalue the offence in the public mind and mask the true seriousness of the crime. The main recommendation of the report was the introduction of a possible two year prison sentence for those convicted of committing offences under Section 55 of the Act.

 

In December 2006 the Information Commissioner presented a follow up report[2] to Parliament detailing the progress made in stopping the illegal trade in personal information. In particular the Information Commissioner welcomed the fact that the Government had recognised that the current penalties are too low and was consulting on raising the possible penalty to include prison sentences. Further to that consultation the Government included clauses in the Criminal Justice and Immigration Bill which would bring into effect the Commissioner proposals and that the Committee is currently considering.

 

The Information Commissioner welcomes the action taken by the Government and continues to believe that it is necessary for data protection offences at Section 55 of the Act to carry a maximum penalty of up to 2 years imprisonment on conviction on indictment and up to 6 months on summary conviction. The custodial sentence will be an additional option for the courts and will impress the seriousness of the crime upon individuals and organisations. It will particularly serve as a deterrent for those that could dismiss a fine as a business overhead while making considerable profit from their illegal activity.

 

There have been concerns from sections of the press that a custodial sentence in addition to the existing fines will have a chilling effect on investigative journalism. It is important to note that a new criminal offence is not being created and that an offence will not have been committed where in the particular circumstances the obtaining or procuring was in the public interest. Journalists pursuing stories that are in the public interest will not be committing an offence but they should be aware of the offence and think carefully before obtaining personal information by deception. The Information Commissioner has given a commitment to work with the media industry to help journalists and editors comply with the Act.

 

Since the publication of the follow up report the Information Commissioner continues to see evidence of the existence of an illegal trade in personal information and is investigating and prosecuting offences under Section 55 of the Act. The ongoing investigations involve information held by government departments, telecommunications companies, financial institutions and health trusts.

 

In April this year Infofind Ltd, a tracing company, and its managing director Nick Munroe pleaded guilty to 44 counts of illegally obtaining the personal information of hundreds of individuals held by the Department for Work and Pensions and selling it on to a finance company tracing debtors. In each case the people illegally obtaining the information impersonated DWP employees in order to gain access. In addition to this prosecution there have also been 24 written undertakings and 7 cautions issued to other individuals and organisations since the follow up report was published.

 

The importance of custodial sentences for people who unlawfully access personal information was highlighted by the Health Committee in their report 'The electronic patient record'[3] released in September 2007. The Committee welcomed the proposed custodial sentences when considering the necessary operational security of electronic patient records and underlined the need for effective enforcement. The security of electronic patient records is essential to protect the privacy of patients and for them to trust that their confidentiality will be respected.

 

Furthermore the Science and Technology Committee in their Personal Internet Security report[4] published in August this year urged the Government to look at the effectiveness of the Information Commissioner in enforcing good standards of data protection and recognised that amongst other problems faced by the Commissioner the existing penalties for offences are inadequate.

 

The Information Commissioner hopes that the Criminal Justice and Immigration Bill Committee will share his opinion that the wilful abuse of personal information is a serious concern and that the courts should have the option to hand down custodial sentences which are a necessary deterrent in helping to stamp out the illegal trade.

 

 

November 2007

 


[1] The Information Commissioner, What price privacy?, HC1056, 10 May 2006

[2] The Information Commissioner, What price privacy now?, HC36, 13 December 2006

[3] The Health Committee, The electronic patient record, HC422-I, 13 September 2007

[4] The Science and Technology Committee, Personal internet security, HL Paper 165-I, 10 August 2007