Referral fees and the theft of personal data: evidence from the information Commissioner - Justice Committee Contents

Referral fees and the theft of personal data: evidence from the Information Commissioner

1.  On 13 September we held an oral evidence session with Mr Christopher Graham, the Information Commissioner. A number of important and timely issues were raised, to which we would like to draw the attention of the House. We also asked the Ministry of Justice (MoJ) for a written response to the Information Commissioner's comments, which is published with this Report.

Custodial Penalties for breaches of the Data Protection Act

2.  The Data Protection Act 1998 (DPA) gives people the right to know what information is held about them and to correct information which is wrong. The DPA also protects the interests of individuals by obliging organisations to manage the personal information they hold in an appropriate way. Section 55 of the Act makes the knowing or reckless obtaining, disclosing or procuring the disclosure to another person of personal data a criminal offence. Section 77 of the Criminal Justice and Immigration Act 2008 gave the Secretary of State power to make an order (subject to affirmative resolution) to introduce custodial sentences of up to two years for section 55 offences. Section 77 of the 2008 Act has been commenced, but the order-making power has not been used. Section 78 of the Act (which has not been commenced) would introduce a public interest defence for section 55 offences.

3.  The DPA sets out the current penalties for breaches of section 55 offences. A fine of up to £5,000 may be imposed in the magistrates' court, or an unlimited fine in the crown court. However, in practice fines are much lower, in part because judges and magistrates must take into account the defendant's ability to pay.[1] The Information Commissioner's 2006 report What Price Privacy? included details of 26 criminal cases, in which all of those involved received a fine and/or conditional discharge. The highest fine was £1,000 per offence, but some fines were as low as £50 per offence.[2] More recent cases have seen fines of £100-£150 per offence.[3]

4.   Mr Graham drew to our attention several problems with the current level of penalties. The first is that breaching the DPA can be extremely profitable. In one case a nurse was providing patient details to her partner who worked for an accident management company. A fine was imposed of £150 per offence, but accident management companies pay up to £900 for one client's details.[4] The Information Commissioner's 2006 report estimated that people were charging around £750 per "mobile telephone account enquiry", and £500 for an unauthorised criminal records check, far more than they are likely to be fined even if caught.[5] The second issue concerns cases which might not have a financial motivation, but where the potential or actual impact of the crime is severe. A woman whose husband had been jailed for sexual assault accessed the bank account details of the victim. The woman attempted to monitor the victim's spending and social activities but was only fined £100 per offence.[6] In 2008, two former members of the BNP posted the party membership list on the internet. The district judge at Nottingham Magistrates' Court said: "It came as a surprise to me, as it will to many members of the party, that to do something as foolish and criminally dangerous as you did will only incur a financial penalty."[7]

5.  Mr Graham told us that the Government was looking at doing more, including seeking restitution under the Proceeds of Crime Act 2002, and investigating making section 55 offences recordable offences.[8] However, he did not feel that this was enough:

It just beggars belief that, when more and more organisations have a right to our personal information, to access and process it, the courts do not have the full range of potential sentences to deal with an offence which can involve any of us. This is not about celebrities' hospital appointments. This has the potential to wreck people's lives. Parliament cannot just sit back and watch this sort of thing happen.[9]

6.  Mr Graham also told us that he was worried that the issue of custodial sentences would be "caught up in the reeds" of Lord Justice Leveson's inquiry into the culture, practices and ethics of the press. Lord Justice Leveson aims to publish his initial report in the "broad timeframe" of July 2012.[10] However, Mr Graham argued that: "[Parliament] cannot subcontract that to a High Court judge. Sections 77 and 78 of the 2008 Criminal Justice and Immigration Act are there to be commenced, and it is in your power to do that."[11]

7.  The MoJ told us in its written submission that in many cases section 55 offences were committed in conjunction with other offences which already carry custodial sentences. These include telephone and computer hacking, fraud (which can include pretending to be someone else in order to gain access to information for financial gain), bribery, misfeasance or misconduct in a public office, and perverting the course of justice. The MoJ also said that, while it recognises that section 55 offences "are by no means limited to the media", it anticipates that Lord Justice Leveson may well want to look at the issue. It intends to wait for his recommendations before deciding what action to take.[12]

8.  It is clear to us that the current penalties for section 55 offences are inadequate. If people can make more money from a single offence than the fine which would be imposed for such an offence, then there is no deterrent. There are also cases where people have been endangered by the data disclosed, or where the intrusion or disclosure was particularly traumatic for the victim, and a fine is not an adequate sentence. The MoJ has drawn our attention to the fact than many section 55 offences are committed in conjunction with offences which do carry custodial sentences. However, we believe that Section 55 offences can by themselves be serious enough to warrant a custodial sentence.

9.  We accept the Information Commissioner's argument that the issue of custodial sentences for section 55 offences is not exclusively, or even primarily, an issue relating to the media and that the issue should be dealt with by Parliament without waiting for the outcome of Lord Justice Leveson's inquiry. We urge the Government to exercise its power to provide for custodial sentences without further delay.

Referral fees

10.  Parliamentary and media activity has recently highlighted the practice of various organisations, including car insurers, police, towing companies, garages, hospitals, and accident management companies in supplying data to personal injury lawyers.[13] This may be legal if the subject gives their consent, but if they have not done so it is likely to constitute a breach of section 55 of the DPA. Personal injury lawyers will pay a referral fee of up to £900 for each case they receive. Paying such large referral fees drives up the cost of personal injury claims, and is a powerful incentive for organisations (or individuals) to pass on information without permission.

11.   Mr Graham told us that even in cases where insurance companies had a clause in the small print of policies giving them permission to pass data to lawyers the practice might still not be legal:

Potentially it is a breach of the first data protection principle. It is not fair processing if you claim consent and all your policy holders say, "I don't know what you're talking about—I never knew."[14]

12.  During the evidence session we were struck by the range of illegal behaviour that referral fees can reward, from individuals stealing data,[15] to companies with contracts or practices which breach the DPA,[16] to the sending of spam text messages to mobile telephones.[17] Clearly a system which makes criminality so profitable needs to be changed.

13.  On 9 September the Government announced its intention to ban referral fees. In a written ministerial statement, the Parliamentary Under-Secretary of State, Jonathan Djanogly MP, said:

Alongside the planned reforms to conditional fee agreements, the ban on referral fees will contribute to the Government's plans to tackle the compensation culture by discouraging unmeritorious claims and controlling the disproportionate costs of personal injury claims, without denying access to justice.[18]

14.  We welcome the Government's commitment to ban referral fees and we do not believe the ban should be limited to personal injury cases. We hope that when implementing the ban, the Government will take into account the fact that referral fees reward a range of practices that are already illegal. Banning referral fees, together with custodial sentences for breaches of section 55 of the Data Protection Act, would have the twin effect of both increasing the deterrent and reducing the financial incentives for these offences.

Lack of power to compel audits

15.  The Information Commissioner offers free audits to both public and private sector organisations to assess how effectively those organisations handle personal data. If problems are found the Information Commissioner will not impose a financial penalty if the organisation takes the steps he recommends to address them. If the organisation does not want the report published then it is kept confidential. However, the Information Commissioner's audit powers are limited: while central Government departments and a small number of other organisations must accept audits, the vast majority of organisations are free to decline.[19] In practice 29% of public organisations and 81% of private ones declined last year.[20]

16.  The Information Commissioner told us that there had been circumstances where he had been able to negotiate audits[21] but that his lack of power to compel audits was limiting his ability to investigate:

We are trying to find out from the Association of British Insurers what they have to say about [allegations around referral fees] and frankly they are not being very helpful at the moment. [...]This is where I am frustrated that I do not have the power to inspect. We have invited a number of insurance companies to undergo voluntary auditing and, surprise, surprise, they are not interested. [22]

17.  He went on to tell us about the concerns he had about data protection in the health service[23] and local government sectors.[24] The Commissioner has recently investigated five large data breaches in the health service and found all five organisations in breach of the Data Protection Act.[25] He told us that:

The Information Commissioner's Office has always taken the view that there ought to be the power of inspection. If we think there is a problem, I should not need to get a warrant to break the door down. The Information Commissioner, as the data protection authority, should have the right to come in and check on compliance.[26]

18.  The MoJ told us in written evidence that under current legislation the Information Commissioner must make a formal request to the Government for the power to compel audits in additional sectors. The Secretary of State must then conduct a consultation with the sector before legislation is introduced. The Government has not received any such request from the Information Commissioner. The MoJ also said that it agreed with the Information Commissioner that EU proposals on data protection (expected early next year) were likely to address the issue of the powers of Information Commissioners in this respect.

19.  We were surprised that the Information Commissioner has not made a formal request to the Government for the power to compel audits in any of the sectors about which he expressed concerns to us. However, we note that the referral fee issue alone has covered a wide range of sectors. The processes of applying for permission for each sector, with a consultation period for each, undermine his ability to respond in a timely manner to new information. While we are mindful about placing any additional regulatory burden on businesses or public authorities we are concerned that the Information Commissioner's powers are limited in this way. If the Commissioner had been able to compel audits of insurance companies and personal injury lawyers the issues around referral fees might have been identified and tackled sooner. We can see the merits of waiting for the publication of EU proposals in this area, but if those proposals are limited the Government should go further.

20.  We are concerned that the Information Commissioner's lack of inspection power is limiting his ability to investigate, identify problems and prevent breaches of the Data Protection Act, particularly in the insurance and healthcare sectors. The audits he offers are free and operate on a risk-based approach and in the last year he has only carried out three or four a month. We call on the MoJ to work with the Information Commissioner to assess how the current system is working, and to consider why he has not formally requested the power to compel audits in any additional sectors and whether this process is unduly cumbersome. Following this the Government should consider the best way to ensure the Commissioner can investigate in a timely manner while minimising the regulatory burden on both the public and private sectors.

Status of the Information Commissioner

21.  On 15 September 2011 the MoJ published a Framework Agreement setting out the respective responsibilities of the MoJ and the Information Commissioner. The Parliamentary Under-Secretary of State, Crispin Blunt MP, told the House in a written ministerial statement that:

Under the new framework mechanisms are put in place to enable the [Information Commissioners Office (ICO)] to retain certain types of income, subject to the outcome of the Protection of Freedoms Bill, and the reporting requirements on the ICO are significantly reduced. In addition to this, a number of changes have been introduced to allow the ICO greater freedom to make certain financial and administrative decisions. [27]

22.  He went on to say that the agreement "enhances significantly" the independence of the Information Commissioner.[28] When Mr Graham gave evidence to us the agreement had not been published, but it had already been agreed. The Commissioner told us that the Framework Agreement gave him "greater confidence" when dealing with the MoJ but that:

if I am not seen as an officer of Parliament, reporting directly to Parliament, I have to negotiate my way through with many other Departments of State. I have to deal with the Cabinet Office Efficiency and Reform Group controls on marketing activity, which apparently cover the Commissioner's responsibility to offer advice and guidance. I have to get a tick on anything I propose to do. I am concerned about my website being dragged into some monster Government website,[29]

23.  Our predecessor Committee, the Constitutional Affairs Committee, first looked at this issue in 2006. It concluded that there was considerable merit in the Information Commissioner becoming directly responsible to, and funded by, Parliament, and it recommended that such a change be considered when an opportunity arose to amend the legislation.[30] It revisited the issue again in 2007 when it questioned whether it was appropriate for the MoJ to set the funding levels for the independent regulator and thereby directly influence its capacity to investigate complaints.[31]

24.  We welcome the Framework Agreement because it enhances the independence of the Information Commissioner. However, our position is the same as that adopted by our predecessor Committee in 2006, namely that the Information Commissioner should become directly responsible to, and funded by, Parliament.

1   Q 3 Back

2   What price privacy? The unlawful trade in confidential personal information, HC 1056, 2006 Back

3   Q 1 Back

4   Q 22 Back

5   What price privacy? The unlawful trade in confidential personal information, HC 1056, 2006 Back

6   Q 1 Back

7 Back

8   Q 3 Back

9   Q 1 Back

10 Back

11   Q 1 Back

12   Appendix, p 11 Back

13   Eg. Hansard, Tuesday 13 September 2011, col 896; House of Commons Transport Committee, The cost of motor Insurance, Fourth Report of Session 2010-12, HC 59; and Back

14   Q 24 Back

15   Q 22 Back

16   Q 24 Back

17   Q 22 Back

18   HC Deb, 9 September 2011, col 32WS Back

19   Under the amended Privacy and Electronic Communications Regulations the Information Commissioner has limited powers to audit the providers of public electronic communications services. He can also audit public authorities listed under section 41A(2) of the DPA Back

20   Information Commissioner's Annual Report and Financial Statements 2010/11: Information is the currency of democracy, HC 1124 Back

21   Q 11 Back

22   Q 23 Back

23   Q 11 Back

24   Q 9


25 2011.aspx Back

26   Q 11 Back

27   HC Deb, 15 September 2011, col 62-63 Back

28   IbidBack

29   Q 27 Back

30   Constitutional Affairs Committee, Freedom of Information one year on, Seventh Report of Session, 2005-06, HC 991 Back

31   Constitutional Affairs Committee, Freedom of Information: Government's proposals for reform, Fourth Report of Session 2006-07, HC 415  Back

previous page contents next page

© Parliamentary copyright 2011
Prepared 27 October 2011