Watchdog bemoans insufficient punishment for data blagging offences

Out-Law News | 28 Feb 2012 | 12:14 pm | 4 min. read

The Information Commissioner has reiterated his belief that people criminally convicted of 'blagging' personal data under UK data protection laws should face prison sentences.

Christopher Graham said "chicken feed fines" were insufficient to deter individuals from blagging information and expressed frustration that the ability to issue prison sentences to data blaggers for offences under the Data Protection Act (DPA) has still to be introduced. Blagging is the use of deceit to extract personal data from people or organisations.

Graham made his comments after two courts issued contrasting sentences to data blagging offenders on Monday.

"The contrast is striking in the penalties available for blagging under the Fraud Act on the one hand and under the Data Protection Act on the other. On the same day, prison sentences were handed down in one court with chicken feed fines being imposed in another – all for the same activity," Graham said in a statement.

The Information Commissioner's Office (ICO) reported that four private investigators had been jailed for offences under the Fraud Act. The men pled guilty to stealing confidential personal and financial information and selling it to "corporate clients and private individuals," according to the Serious Organised Crime Agency (SOCA) which investigated the case.

Philip Campbell Smith, Adam Spears and Graham Freeman used the services of Daniel Summers to acquire the information, SOCA said. Summers had "targeted banks, financial institutions, mortgage providers, government agencies and law enforcement databases".

The ICO also reported that a letting agent from Tottenham, Pinchas Braun, had been convicted of "an attempt to commit an offence under section 55 of the Data Protection Act and the Criminal Attempts Act".

Braun had phoned the Department for Work and Pensions (DWP) and fraudulently tried to access the benefits account of a tenant. His attempted unauthorised access was uncovered when a DWP staff member became suspicious about Braun's inability to quote the tenant's middle name. Braun was fined £200 and told to pay a £15 victim surcharge and £728.60 prosecution costs by Highbury Magistrates Court.

Under the Criminal Attempts Act a person is "guilty of attempting to commit the offence" if, after setting out "with intent to commit an offence" they commit "an act which is more than merely preparatory to the commission of the offence".

Under section 55 of the DPA a person is generally guilty of an offence if they "knowingly or recklessly ... obtain or disclose personal data or the information contained in personal data, or procure the disclosure to another person of the information contained in personal data" without consent from the 'data controller'. A person is not guilty of an offence if they can show that unlawfully obtaining, disclosing or procuring of the personal data was justified as being in the public interest.

Graham has previously complained that the penalties available for a criminal conviction under section 55 do not act as a sufficient deterrent to blagging offences.

Under the Criminal Justice and Immigration Act the Justice Secretary has the power to introduce new regulations that would allow a custodial sentence penalty to be available for blagging offences under section 55 of the DPA, but those powers have yet to be used. The current penalty for committing a section 55 offence is a maximum £5,000 fine if the case is heard in a Magistrates Court and an unlimited fine for cases tried in a Crown Court.

Last year the Justice Committee in the House of Commons reported that fines under the DPA were usually much lower than permitted because judges and magistrates must take into account the offender's ability to pay.

In September Graham said that, on average, offenders are fined just £100 if found guilty of an offence under section 55 of the DPA.

The ICO does have the power to issue monetary penalty notices of up to £500,000 for serious breaches of the Act, but that is in relation to civil cases.

“The criminal sanctions under the DPA can be so minor that if there is another avenue that prosecuting authorities can explore to obtain more penal convictions, such as under the Fraud Act, it is probably more effective to do this,” Kathryn Wynn, expert in data protection law at Pinsent Masons, the law firm behind Out-Law.com, said.

“It seems perverse that organisations and individuals guilty of accidental breaches of personal data can be issued with monetary penalty notices of up to £500,000 for those breaches, but organisations and individuals guilty of a criminal offence of deliberately invading privacy and misleading others can escape with a relatively minor punishment,” she said.

Out-Law.com asked SOCA to confirm the Fraud Act offences that the four private investigators had been convicted of but did not receive this information. However, under that Act it is an offence if a person "dishonestly makes a false representation and intends, by making the representation" to either "make a gain for himself or another, or to cause loss to another or to expose another to a risk of loss".

Businesses that bought confidential personal and financial information from the private investigators could themselves face legal action under UK data protection laws, Christopher Graham said.

SOCA has passed over evidence to the ICO which will assess whether the men are guilty of further offences under the DPA.

However, the Information Commissioner expressed frustration at the current limitations in the penalties that can be levied by courts for blagging offences.

“If SOCA had been restricted to pursuing this case solely using their powers under the Data Protection Act then these individuals would have been faced with a small fine and would have been able to continue their activities the very next day. This is not good enough," Graham said.

“Unscrupulous individuals will continue to try and obtain peoples’ information through deception until there are strong punishments to fit the crime. We must not delay in getting a custodial sentence in place for section 55 offences under the Data Protection Act," he said.