The Information Commissioner has called for tougher penalties over the reckless misuse of data, after police officers were found to have wrongly handed over sensitive data to dangerous individuals.
In a response to a government consultation, Information Commissioner Christopher Graham argued that the maximum penalty of two years’ jail time should be the standard for sentences handed out after individuals breach confidentiality, under section 55 of the Data Protection Act.
Such a penalty was vital “if the law is to provide an effective deterrent against the illegal trade in personal data”, which was “widespread and organised”, he wrote in his response. Exceptions should be made for journalists and artists, he stated, when there is a “reasonable belief” that obtaining and disclosing the information was in the public interest.
In one incident of reckless data use, a police officer in Essex unlawfully searched the Police National Computer and other systems 800 times. He passed on mobile phone records and checked up on his housemate’s two sisters. He was only fined £750.
In another incident, a police officer in Derby passed on a 79 year old man’s address to the husband of a woman the man had had a parking dispute with. The husband later threw a brick through the pensioner’s window, leading to his death from shock. While the husband was convicted of manslaughter, the police constable was fined only £1,200 for searching for and providing the address.
Graham also highlighted a number of serious misuses of data outside the police. There were significant dangers of criminals accessing utility bill information, as well as medical records where he said the risks would “only become greater” as health records are linked nationally.
In one case a private investigator firm made calls to a rape victim’s GP and utility companies, in order to obtain data. The female victim believes the information was being sought in order to help find her and exact revenge on her for giving evidence in court against her attacker. The caller was fined £6,500.
Separately, an employee at the Department of Work and Pensions handed over the addresses of eight people in debt, to a caller who pretended to be another DWP worker but who was acting on behalf of a debt collection company. Other DWP employees shortly after handed over the details of a further 242 individuals.
Instead of principally blaming the DWP employees, the ICO said that in this case the error was owing to the skill of the bogus caller, who had convincingly supplied bogus information. The private investigator firm that employed the caller was fined £3,200, which Graham said did “little to deter a highly profitable business”.
Graham insisted that jail time was the necessary penalty for instances such as these. He added: “In many cases a fine alone will be looked on by the offender as little more than a business expense or simply as a risk worth taking.”