Potential for up to two years in prison if government plans receive go ahead
Data protection breaches could lead to up to two years in prison, under plans mooted by the government.
Proposals to introduce custodial sentences are included in a Ministry of Justice consultation paper released last month, The knowing or reckless misuse of personal data. They would apply to individuals found guilty of knowingly or recklessly obtaining, disclosing, selling or procuring the disclosure of personal data without the consent of the data controller.
Offenders could be imprisoned for up to two years on indictment, and up to 12 months on summary conviction, in addition to unlimited fines on indictment or fines up to £5,000 on summary conviction.
There would be a defence available if the individual could show they acted for the purposes of journalism, or artistic or literary purposes, and with a reasonable belief that the obtaining, disclosing or procuring was in the public interest.
Tom Morrison, associate at Rollits, who specialises in data protection, says: “This has been a long time coming, but it does appear that the arrival of the new information commissioner has provided a renewed impetus to get custodial sentences on the books.
“Unlawful trading in personal information continues to make some people very rich. At the moment those individuals ‘only’ risk a criminal record and a fine. The theory is that if their liberty was also put at risk they might think twice before committing the offence.
“Bearing in mind that custodial sentences will be reserved for the worst offenders, a legitimate business which makes an accidental error in the handling of personal information has little to fear from the ministry’s latest proposals. Having said that it would be wrong to suggest that businesses can risk being complacent.
Morrison adds that in addition to the Ministry’s proposals and the Information Commissioner’s forthcoming new power to issues fines directly (in the form of monetary penalty notices), there remains a serious and genuine risk of reputational damage for any business which allows information about its employees or customers to be misused.
Former Advertising Standards Authority chief Christopher Graham took over the role of Information Commissioner in June.