The seriousness of personal data breaches

Our privacy is, for good reason, important to all of us.

What a person has in his or her bank account, what a person chooses to write and to whom, what telephone calls a person chooses to make and to whom and other matters of that kind are, save in exceptional circumstances, the business of the individual and of nobody else.

The law recognises that right and protects it.

So begin the sentencing remarks of His Honour Judge McCreath in the Southwark Crown Court on 20 December. The sentences in question were imposed on three men who had been found guilty of offences under section 55 of the Data Protection Act 1998 (DPA). They took place against the background of the bidding for tenancy of the Olympic Stadium. The fines given were not insignificant: £100,000 for Howard Hill, £13,250 for Lee Stewart and £10,000 for Richard Forrest.

It is often said that the sanctions for a criminal breach of the DPA are inadequate. The Information Commissioner regularly recommends the commencement of statutory provisions which would allow a custodial sentence to be imposed in appropriate circumstances, and, indeed, after Lord Justice Leveson made the same recommendation, the government announced it would consult on whether to make the necessary Order to effect this.

It is certainly true that some sentences for the offence (of knowingly or recklessly, without the consent of the data controller, obtaining or disclosing personal data or the information contained in personal data) seem derisory. One stark example was the meagre £150 fine for a probation officer who revealed a domestic abuse victim’s new address to the alleged perpetrator. However, it should be noted, and the Olympic Stadium offenders’ sentences illustrate this, that the offence is, by virtue of section 60(2) of the DPA, an either-way offence. The always illuminating ukcriminallawblog has an excellent post explaining what this means:

[either way offences] are offences that can be tried either (hence their name) in the Magistrates’ or the Crown Court. These are generally cases where the culpability (the harm caused to society) is wide ranging and therefore sometimes they will be very minor offences and sometimes very serious ones…For example, theft is either way. It can vary from someone who shoplifts a packet of crisps up to somebody who steals millions of pounds from a bank.

On a plea of non-guilty to a section 55 charge the prosecution will be transferred to a crown court if it appears to the magistrates’ court that the likely sentence exceeds their maximum sentencing power of a £5000 fine. Once transferred, the fine is potentially unlimited. This is why the fines were so high in these cases.

I won’t rehash what is in the very clear and instructive sentencing remarks. But what I will say is that the seriousness with which a section 55 DPA offence is viewed by a court is inherently tied up with what value society attaches to privacy and security of personal data.

That value changes over time, and varies according to the evidence of the impact DPA contraventions have on the individuals affected.


Filed under Data Protection, Information Commissioner

4 responses to “The seriousness of personal data breaches

  1. Tim Turner

    I don’t disagree with any of this. However, I think the Information Commissioner’s relentless focus on the need for custodial sentences should not change despite these high fines. The theoretical possibility of a big fine if the dominoes tumble in a certain direction will not have the deterrent effect of a jail term.

    • I agree, and I wouldn’t want it thought that I oppose the commencement of the custodial offences provisions. But I do wonder – if there is a current lack of prosecutorial or judicial will to press for or impose higher fines, would there be a similar lack of will to push for or impose custodial sentences if they were available?

  2. The law also protects our privacy if we are serial abusers of learning disabled people who target, bully and get rid of whistleblowers when exposed:

    Or maybe that’s not so serious?

  3. Pingback: Why no prison sentences for misuse of medical data? | inforightsandwrongs

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s