Sunday, 5 August 2012

Data Protection Crime (and Punishment)

When you’re a Data Protection Officer, writing a business case for something or other, it’s always useful to have the odd fact up your sleeve to help emphasise the need (and urgency) for action.

For some time, many of us have been using the ICO’s “£500,000 fine” line, assuming that the possibility of a civil monetary penalty as enormous as this would inspire the business to start to invest in data protection at a level that really was commensurate with the risk that was being run.

Of course, it’s worked – to a limited extent. And, with each new Civil Monetary Penalty, some businesses get even more concerned that their dodgy practices might come to light.

The trouble is, of course, that fines are only money. And, in the public sector, removing money from public authorities it simply means less public funding for essential services.

If I had my way, I would have the Chief Executive Officer of the relevant authority washing cars in the Commissioner’s car park for a day, to atone for his sins. Or I would have the ICO having the power to aware an order requiring the authority to invest £x in enhanced data protection safeguards, rather than having that £x returned to the Exchequer.

Perhaps there’s another line that Data Protection Officers can use, which might be even more effective in delivering higher standards.

How about jobs!

A little while ago, our chums at BigBrotherWatch did some work to learn how many policemen were misbehaving, data protection wise. Police authorities were asked to provide a clear, itemised list of the offences committed by the individual in question i.e. "Abusing privileged access to the Police National Computer" or "Passing information to an unauthorised third party”.

The research revealed that, between May 2008 and May 2011:
• 243 police officers and staff received criminal convictions for breaching the Data Protection Act;
• 98 police officers and staff had their employment terminated for breaching the DPA;
• 904 police officers and staff were subject to internal disciplinary procedures for breaching the DPA.

These are quite impressive figures – not only have the police authorities actually collected this information, but they indicate a level of internal HR activity which shows that the police do recognise that such behaviour really is unacceptable.

Such levels of internal HR activity possibly explain why the ICO has not found it appropriate to take court action against individuals in many cases. The last 3 ICO annual reports contain relatively few examples of action being taken against offenders.

The 2011/12 annual report contained one report of a prosecution action at Reading Magistrates Court against an employee of Slough Borough Council Benefits Office in March 2012 and two company directors. The employee had obtained and sold personal data to associates who were directors of a letting company, which was used by that company to chase up their tenants’ outstanding debts. Both company directors were each fined a total of £260 for two offences under the Data Protection Act. The Slough Borough Council employee was fined £690 for three offences under the Act.

The 2010/11 annual report noted that the ICO took prosecution action in five DPA cases, two of these relating to offences for unlawfully obtaining personal data. Both defendants in these cases pleaded guilty in the Crown Court. Due to the unlawful sale of data taking place over the course of a year and the amount of money involved, confiscation proceedings under the Proceeds of Crime Act 2002 were started and £78,000 was recovered.

The other three cases, involving two estate agents and one private investigator, were prosecuted in the Magistrates Court for failing to notify the Commissioner that they were processing data electronically. All three defendants had failed to respond to correspondence from the office reminding them of their requirement to notify.

The 2009/10 annual report noted that seven bodies (a mix of individuals and organisations) were prosecuted for failing to notify as data controllers with the ICO. Two were prosecuted in the Crown Court and one received a fine of £5,000. In another, a director was also convicted in his individual capacity and received a separate penalty to that of the organisation. Two other organisations were prosecuted for failing to respond to enforcement notices. One was an individual who was prosecuted for not notifying and was dealt with in the Crown Court. The other individual received fines totalling £5,200.

The ICO also investigated suspicions that a covert blacklist was operating in the construction industry. The custodian of the list was the Consulting Organisation. Ian Kerr (on behalf of the CA) was sentenced to a £5,000 fine and ordered to pay £1,187.20 in costs.

OK. What about recent Computer Misuse Act offences? Is a pattern emerging here? Can we use these prosecutions to support the need for greater data protection standards?

Well, these figures are not easy to decipher. Between 2006 and 2010, there were some 100 prosecutions involving the Computer Misuse Act, but the number of prosecutions may well have declined over recent years. As John Leydon of The Register explained: “It would be rash to read too much into the figures, especially since the stats only cover prosecutions where computer hacking offences were the principal offence under consideration by the courts. So if a suspect was convicted of banking fraud or phishing as well as computer misuse, and received a harsher sentence for the fraud, then the computer hacking prosecution would go unrecorded. In addition, the figures supplied provide no breakdown on the number of UK computer hacking prosecutions that actually resulted in a conviction.”

So what does this tell us?

Not much, admittedly.

It tells me, at least, that there are some people who are getting prosecuted for data protection offences. But there aren’t many of them. Whether the whispered additional powers (yes, criminal sanctions for more types of offences) that are to be added to the Data Protection Act will have much effect, only time will tell. After all, who knows when this will happen. And even when it does, who knows what appetite the authorities will have to actually use them. With ever fewer resources being made available to the Crown Prosecution Service, I expect that they will be hard pressed to continue to make full use of the existing powers they have, let alone have the resources to apply new sanctions to new categories of miscreants.


Image credit: