Out-Law News 3 min. read

Government to consult on whether to make imprisonment potential sanction for data protection offences

The Government is to consult on whether to introduce new laws that would make it possible for judges to send individuals to jail for offences under the Data Protection Act (DPA).

In response to an independent review of public sector information (PSI) (63-page / 931KB PDF) conducted by YouGov chief executive Stephan Shakespeare, the Government said that there were already a number of existing laws under which those that misuse personal data could be sentenced to imprisonment. However, it said that it would consult on whether to introduce new regulations that would permit judges to send those that breach section 55 of the DPA to jail.

In his report published last month, Shakespeare said that there needs to be "stronger measures for misuse of data" and said that "there is further work required" to address concerns about section 55 offences being subject to inadequate sanctions.

Lord Justice Leveson, in his report into the culture, practices and ethics of the press, called on the Government to bring dormant provisions under the Criminal Justice and Immigration Act (CJIA) into law.

Under section 77 of the Criminal Justice and Immigration Act, the Justice Secretary has the power to introduce new regulations that would allow a custodial sentence to be available as a sanction to offences under section 55 of the DPA. Those powers have yet to be used. In 2008 the Act came into force without the jail term penalty being immediately available.

Leveson echoed calls made by two Parliamentary committees – the Home Affairs Select Committee and Justice Committee, http://www.out-law.com/en/articles/2011/october/personal-data-blaggers-should-go-to-jail-mps-say/ – in two separate reports published in the last two years.

Information Commissioner Christopher Graham has also frequently bemoaned the current penalties that are available to sanction data protection offenders and has made repeated calls for the CJIA provisions to be brought into force.

"The Government believes that misuse of personal data should be taken very seriously, however, it is important to note that there are already a range of existing offences that cover the misuse of personal data," the Government said in its report. "These include fraud by false representation in breach of the Fraud Act 2006 and bribing another or being bribed contrary to the Bribery Act 2010. The offence of unlawful interception of communications under Regulation of Investigatory Powers Act 2000 and unauthorised access to computer material under the Computer Misuse Act 1990, both carry a maximum two year prison sentence."

"It is the Government’s intention to conduct a public consultation on the full range of Lord Justice Leveson’s data protection proposals, including on section 77 of the CJIA, which will seek views on their impact and how they might be approached," it added.

Section 55 of the Data Protection Act (DPA) states that is generally unlawful for a person to "knowingly or recklessly without the consent of the data controller obtain or disclose personal data or the information contained in personal data, or procure the disclosure to another person of the information contained in personal data" without the consent of those who control the data.

The current penalty for committing a section 55 offence is a maximum £5,000 fine if the case is heard in a Magistrates Court and an unlimited fine for cases tried in a Crown Court.

Data protection law expert Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, previously said that it is "perverse that organisations and individuals guilty of accidental breaches of personal data can be issued with monetary penalty notices of up to £500,000 for those breaches, but organisations and individuals guilty of a criminal offence of deliberately invading privacy and misleading others can escape with a relatively minor punishment".

In its response to the Shakespeare review, the Government also announced that the Law Commission is undertaking a review of data sharing between public bodies. It said that there are "many misconceptions" about how the DPA impacts on data sharing and said that the issue "will need to be addressed" in order to ensure wider access to PSI.

"The Law Commission is conducting a scoping project on data sharing between public bodies looking specifically at the barriers public bodies might be encountering to data sharing that is preventing them fulfilling their duties to citizens," the Government said. "The report will consider whether any such barriers are legal, rather than cultural or based on a misunderstanding of the law. The review is due to report in the Spring of 2014."

Shakespeare had said that the DPA was "frequently, and often unjustifiably, cited as a blanket reason to not share or reuse data". His report referenced a study by Deloitte which had suggested that legal and regulatory barriers do not act as a barrier to "generating value and market development" around PSI, but that "perception and awareness" are to blame instead.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.