Harsher punishment, including a prison sentence, should be delivered to criminals who breach the Data Protection Act, MPs on the Justice Committee has said.
Harsher punishment, such as a prison sentence, should be delivered to criminals who breach the Data Protection Act, MPs on the Justice Committee has said.
They said that custodial sentences were required because the current fines imposed for data breaches – a maximum £5,000 is possible but in practice fines are much lower – were not enough of a deterrent.
Sir Alan Beith, the chair of the Justice Committee, said: “Using deception to obtain personal information – sometimes known as blagging – or selling it on without permission are serious offences that can cause great harm.
“Fines are used to punish breaches of data protection laws, but they provide little deterrent when the financial gain exceeds the penalty.
“Magistrates and judges need to be able to hand out custodial sentences when serious misuses of personal information come to light. Parliament has provided that power, but ministers have not yet brought it into force – they must do so.”
For example a nurse providing patient details to her partner who worked for an accident management company was only fined £150 per offence, even though such companies pay up to £900 for a client’s details.
The MPs also called for a strengthening of the Information Commissioner’s Office’s (ICO) power, to allow them to carry out compulsory information audits on private sector companies suspected of misusing personal data.
They claimed that had the ICO had this power, it would have been able to identify and deal with problems, such as the referral fees of insurance companies and personal injury lawyers, earlier.
“The Information Commissioner’s lack of inspection power is limiting his ability to identify problems or investigate potential data abuses.
“Minister must examine how to enable the Commissioner to investigate properly without increasing the regulatory burden on business or the public sector,” said Beith.
The MPs' report did not, however, make any recommendations for how the ICO could strengthen the sanctions against organisations who breach the Data Protection Act due to a lack of care or appropriate information controls.