Probation officer prosecution should remind businesses of potential criminal penalties for data breaches, says expert

Out-Law News | 21 Aug 2013 | 12:21 pm | 3 min. read

The prosecution of a probation officer for handing over personal information relating to the victim of domestic abuse to the alleged perpetrator should act as a reminder to business of the criminal penalties they could face for breaching UK data protection laws, an expert has said.

Last week the Information Commissioner's Office (ICO) announced that Victoria Idowu had been fined £150 and ordered to pay a £20 victim surcharge, as well as £250 towards legal costs, by Camberwell Green Magistrates Court.

Idowu was fined after the ICO brought a prosecution against her for breaching Section 55 of the Data Protection Act. The prosecution was pursued after Idowu, a probation officer, told the alleged perpetrator of domestic violence the new address at which the victim of that abuse was living, the ICO said. That action prompted the victim to break off contact with police and other services involved and the investigation into domestic violence by the alleged perpetrator was subsequently dropped, the watchdog said.

Section 55 of the Data Protection Act (DPA) states that is generally unlawful for a person to "knowingly or recklessly without the consent of the data controller obtain or disclose personal data or the information contained in personal data, or procure the disclosure to another person of the information contained in personal data" without the consent of those who control the data.

Technology law expert Luke Scanlon of Pinsent Masons, the law firm behind, said that there were lessons businesses should note from the case.

"The breach in this case took place in the context of a criminal investigation but the harm done essentially resulted from what was allegedly an individual recklessly disclosing data in error," Scanlon said. "It is a reminder that there are potential criminal consequences for organisations and individuals within organisations if they fail to adhere to proper standards of keeping data secure."

Under the ICO's general guide to data protection (130-page / 893KB PDF), the watchdog makes clear that businesses, and staff within businesses, can in certain cases be deemed to have committed a criminal offence under the DPA.

"If a company or other corporation commits a criminal offence under the Act, any director, manager, secretary or similar officer or someone purporting to act in any such capacity is personally guilty of the offence, as well as the corporate body, if the offence was committed with their consent or connivance; or the offence is attributable to neglect on their part," the guidance states.

Criminal offences under the DPA include unlawfully obtaining, disclosing, or procuring the disclosure of personal data; selling, or offering to sell, personal data which has been unlawfully obtained; and processing personal data without notifying the Information Commissioner.

Other examples include failing to comply with an enforcement notice or an information notice, or knowingly or recklessly making a false statement in compliance with an information notice issued by the ICO, or obstructing, or failing to give reasonable assistance in, the execution of a search warrant.

Section 61 of the Act sets out the provisions under which directors, or other staff within businesses, can be held criminally liable for a breach of data protection laws.

"Where an offence under this Act has been committed by a body corporate and is proved to have been committed with the consent or connivance of or to be attributable to any neglect on the part of any director, manager, secretary or similar officer of the body corporate or any person who was purporting to act in any such capacity, he as well as the body corporate shall be guilty of that offence and be liable to be proceeded against and punished accordingly," the Act states.

The current penalty for committing a section 55 criminal offence is a maximum £5,000 fine if the case is heard in a Magistrates Court and an unlimited fine for cases tried in a Crown Court.

The ICO has long called for stiffer punishments to be made available for serving on section 55 offenders and, in the wake of the Idowu case, again called for "more effective deterrent sentences, including the threat of prison, to be available to the courts to stop the unlawful use of personal information".

Under section 77 of the Criminal Justice and Immigration Act, the Justice Secretary has the power to introduce new regulations that would allow a custodial sentence to be available as a sanction to offenders under section 55 of the DPA. Those powers have yet to be used. In 2008 the Act came into force without the jail term penalty being immediately available.

Earlier this summer the Government announced that it would consult on whether to introduce imprisonment as a possible punishment for criminal breaches of the DPA.

A spokesperson for the Ministry of Justice (MoJ) has now said that it intends to carry out this consultation as part of a fuller review into the recommended data protection reforms made by Lord Justice Leveson as part of his review into the culture, ethics and practices of the press.

Data protection law expert Kathryn Wynn of Pinsent Masons, the law firm behind, previously said previously described as "perverse" the situation whereby organisations and individuals guilty of accidental breaches of personal data can be issued with monetary penalty notices of up to £500,000 for those breaches, under the ICO's civil enforcement regime, whilst organisations and individuals guilty of a criminal offence of deliberately invading privacy and misleading others can escape with a relatively minor punishment.