The Information Commissioner, Christopher Graham, has recently reiterated his desire for the court to have stronger sentencing powers for persons convicted of stealing personal data. His remarks remind us of the enforcement action which may follow Data Protection Act 1998 (DPA 1998) breaches. This blog post explores the topic in further detail.

R v Nagra - January 2016

Mr Graham made his remarks (see here) following the conviction of Sindy Nagra in January 2016. Ms Nagra had sold almost 28,000 customers’ records for £5,000. She had access to those records whilst working at a car rental company. The records were intercepted before they could be used for nuisance telephone calls.

Ms Nagra was fined £1,000 and ordered to pay a £100 victim surcharge and £864.40 prosecution costs after pleading guilty to unlawfully obtaining, disclosing and selling personal data contrary to section 55 of the DPA 1998.

Section 55 of the DPA 1998

Section 55 of the DPA 1998 creates two offences:

A person must not knowingly or recklessly, without the consent of the data controller:

  1. obtain or disclose personal data or the information contained in personal data; or
  2. procure the disclosure to another person of the information contained in personal data.

Neither Section 55(1) nor (2) are “strict liability” offences. An individual therefore only commits the relevant offence if he acts “knowingly” or “recklessly”.

Recklessly is interpreted subjectively, meaning that a person acts recklessly with respect to (i) a circumstance when he is aware of a risk that it exists or will exist; (ii) a result when he is aware of a risk that it will occur; and it is, in the circumstances known to him, unreasonable to take the risk.

Proceedings for section 55 criminal offences can be brought by the Information Commissioner’s Office (ICO) or by the Director of Public Prosecutions (who heads the Crown Prosecution Service (CPS)).

The offence is triable either way – meaning that it can be tried either in the magistrates’ courts or the Crown Court.

The maximum sentence on indictment is a fine. For offences committed on or after 12 March 2015, a magistrates’ court can also impose an unlimited fine.  

Calls for increased sentencing powers

The ICO has long called for the introduction of custodial sentences for breaches of section 55 of the DPA 1998. The ICO argues that the court’s powers are an insufficient deterrent. Speaking following the sentencing of Ms Nagra, Mr Graham said:

“With so much concern about the security of data, it is more important than ever that the courts have at their disposal more effective deterrent penalties than just fines. People who break the criminal law by trading in other people's personal information need to know that they will be severely punished and could even go to prison”.

It should be noted that Parliament has already legislated for increased sentencing powers. The Criminal Justice and Immigration Act 2008 (the 2008 Act) introduced a power to amend section 55 to include custodial sentences. The Home Secretary can, after consultation, issue secondary legislation under the 2008 Act to introduce custodial sentences of up to 12 months on summary conviction, and up to two years of imprisonment for a conviction on indictment for those involved in the illegal trade of personal information (see section 77 of the 2008 Act). This provision is not yet in effect.

Others have recommended that the court be afforded greater sentencing powers for breaches of section 55. For example, in November 2012, Sir Brian Leveson published his report into the culture, practices and ethics of the UK press in which he argued that the power to include custodial sentences be exercised.

The other enforcement powers of the ICO

As the body responsible for enforcing and overseeing the DPA 1998, the ICO enjoys enforcement powers separate from the court. The Information Commissioner can impose a fine (up to a maximum of £500,000) for serious contraventions of the DPA 1998 (see section 55A).

In policing the data protection regime, the ICO (under Schedule 9 of the DPA 1998) has powers of entry and inspection after having obtained a warrant from a circuit judge or a district judge. The ICO can also interview individuals as part of any enforcement action.

Does the ICO need stronger sentencing powers?

Some have questioned the need for the ICO to have stronger sentencing powers. There already exist a number of offences that carry custodial penalties for which those who breach section 55 of the DPA 1998 can be convicted. For example, a person who has breached section 55 could be prosecuted, inter alia, for (depending on the facts):

  • Unlawful interception of communications contrary to the Regulation of Investigatory Powers Act 2000;
  • Unauthorised access to computer material contrary to the Computer Misuse Act 1990;
  • Making a false representation contrary to the Fraud Act 2006; or
  • Misconduct in a public office contrary to the Common Law.

A person could also be found guilty under the inchoate and accessory principles of criminal law (this includes attempt and conspiracy).

The Government has also argued that the ICO can seek to obtain the proceeds of illegal transactions, including those involving breaches of the DPA 1998, through confiscation orders under the Proceeds of Crime Act 2002. Although this has only occurred on a limited number of occasions, there is no reason in principle why (following a change of CPS prosecution policy) confiscation proceedings could not be pursued as a matter of course following a DPA 1998 conviction.

Moreover, the ICO already has (as alluded to above) punitive enforcement powers. In the last year, in addition to 11 successful criminal prosecutions, the ICO served 20 monetary penalty notices on organisations for breaching provisions of the DPA 1998. In one week in February 2016, the ICO fined two companies £150,000 for data protection breaches. Of course, the ICO will receive even more punitive sanctions powers once the new EU Data Protection Regulation comes into effect in 2018. 

Conclusion

We have blogged previously about the inevitability of data protection breaches (see here). The deliberate violation of the provisions of a DPA 1998 is something of a different order. Nevertheless, businesses should be alert to the range of criminal offences (there are fifteen in total) created by the DPA 1998. Directors and other officers of companies which have committed offences under the DPA may be liable to prosecution. Where a company has committed an offence and it is proved to have been committed with the consent or connivance of, or due to any neglect on the part of, the officer concerned, that person will be guilty of the offence in addition to the company itself (see section 61 of the DPA 1998). The same applies to the members of a company that is managed by its members.