Out-Law News 4 min. read

Regulators could soon be passed material about corporates' links to convicted 'blaggers', says SOCA

The Serious Organised Crime Agency (SOCA) is looking into sharing the names of more than 100 organisations and individuals connected to private investigators convicted of data 'blagging' offences with a number of regulators, including the UK's data protection watchdog, in a move that could lead to criminal prosecutions.

In a letter to chairman of the House of Commons' Home Affairs Committee Keith Vaz, SOCA director general Trevor Pearce said that the agency had yet to pass on material obtained through its 'Operation Millipede' investigation to the Information Commissioner's Office (ICO) five years after the operation began and four years after the agency drew up lists of 102 "clients" of four private investigators convicted in 2012 of 'blagging' offences under the Fraud Act.

SOCA had kept the information secret from the ICO in order not to prejudice Operation Millipede and, when that ended, an overlapping and still ongoing Metropolitan Police Service (MPS) operation, 'Tuleta', into "criminal acts that intrude on individual privacy for journalistic purposes", Pearce said.

However, the agency is in dialogue with the ICO and other regulators about sharing the information obtained through Operation Millipede to allow those regulators to determine whether or not they have grounds to take enforcement action, Pearce said.

"SOCA has kept in regular contact with the MPS and ICO over this issue," Pearce said in his letter. "lt has also had discussions with the Financial Conduct Authority and Solicitors Regulation Authority about future coordinated action."

"[On 15 August], SOCA chaired a meeting with the MPS and the ICO to discuss next steps, including the provision of the information to lCO. Work to achieve this is being taken forward in the coming weeks. SOCA will now convene a further meeting with the MPS and ICO to which other regulatory bodies will be invited. The aim will be to agree further coordinated activity."

SOCA has faced criticism about its decision not to disclose the names of the prosecuted private investigators' 102 clients allegedly involved in so-called "blue-chip hacking". SOCA has passed the lists of names onto the Home Affairs Committee but only under a protective marking, meaning that the lists cannot be made public.

Pearce said that the decision to classify the lists was "to ensure that publication would not prejudice current investigations by the MPS or any possible regulatory action by the ICO or others". Even when those investigations are concluded, "there will still be data protection issues to consider" around any potential disclosure, he said.

Pearce said that the material gathered as part of Operation Millipede suggests that 51 individuals' personal data appears to have been "fraudulently accessed". A further 49 individuals' personal data was contained on the files but there "was no specific evidence to show fraudulent access to personal data", he added.

SOCA wrote to 91 of the 100 individuals "whose addresses were available" to notify them that their personal data was held on the files, Pearce said.

In a statement in reaction to Pearce's letter, Vaz said that regulatory action is required "now".

"If we have learnt anything from the phone-hacking scandal, it is that the victims must be put first," the MP said.

Section 55 of the Data Protection Act (DPA) states that is generally unlawful for a person to "knowingly or recklessly without the consent of the data controller obtain or disclose personal data or the information contained in personal data, or procure the disclosure to another person of the information contained in personal data" without the consent of those who control the data.

Businesses and their staff can in certain cases be deemed to have committed a criminal offence under the DPA.

"If a company or other corporation commits a criminal offence under the Act, any director, manager, secretary or similar officer or someone purporting to act in any such capacity is personally guilty of the offence, as well as the corporate body, if the offence was committed with their consent or connivance; or the offence is attributable to neglect on their part," guidance issued by the ICO states.

Criminal offences under the DPA include unlawfully obtaining, disclosing, or procuring the disclosure of personal data, or selling, or offering to sell, personal data which has been unlawfully obtained.

Section 61 of the Act sets out the provisions under which directors, or other staff within businesses, can be held criminally liable for a breach of data protection laws.

"Where an offence under this Act has been committed by a body corporate and is proved to have been committed with the consent or connivance of or to be attributable to any neglect on the part of any director, manager, secretary or similar officer of the body corporate or any person who was purporting to act in any such capacity, he as well as the body corporate shall be guilty of that offence and be liable to be proceeded against and punished accordingly," the Act states.

Litigation expert Barry Vitou of Pinsent Masons, the law firm behind Out-Law.com, said that it is hard to prove corporate criminal liability.

"Proving corporate criminal liability, with rare exceptions like the Bribery Act, is often easier said than done and will turn on what the board of the company knew and proving it," Vitou said.

The current penalty for committing a criminal offence under section 55 of the DPA is a maximum £5,000 fine if the case is heard in a Magistrates Court and an unlimited fine for cases tried in a Crown Court, although the Government is to consult on whether to allow courts to serve criminal data breach offenders with a prison sentence.

The Information Commissioner has long called for greater penalties to be introduced for section 55 criminal offences under the DPA. Data protection law expert Kathryn Wynn of Pinsent Masons previously explained that prosecutors will often choose to bring cases under alternative provisions to those contained in the DPA because the potential penalties under the Act can be "so minor".

“If there is another avenue that prosecuting authorities can explore to obtain more penal convictions, such as under the Fraud Act, it is probably more effective to do this,” Kathryn Wynn said.

Under the Fraud Act it is an offence if a person "dishonestly makes a false representation and intends, by making the representation" to either "make a gain for himself or another, or to cause loss to another or to expose another to a risk of loss".

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.