A Justice Committee report has declared current penalties insufficient to deter data privacy offences
A report by members of parliament on the Justice Committee has called for more severe penalties, including custodial sentences, to be imposed on those found guilty of breaching the Data Protection Act.
The committee found that the current fines issued for such breaches were an insufficient deterrent to those who wished to profit from breaking the law.
Greater deterrent needed
The Information Commissioner’s Office (ICO) has been in favour of prison sentences for data protection offenders, yet waited until November 2010 to issue its first fine, despite being granted that power in April that year.
However, since then, it has fined a number of organisations for breaches, including Ealing and Hounslow councils, who were fined £80,000 and £70,000 respectively for losing unencrypted laptops; and Surrey County Council, which was fined £120,000 for three breaches of the act, including sending personal data to taxi firms and people on a council mailing list.
Sir Alan Beith MP, the chair of the Justice Committee said, “Fines are used to punish breaches of data protection laws, but they provide little deterrent when the financial gain exceeds the penalty.”
He continued, “Magistrates and judges need to be able to hand out custodial sentences when serious misuses of personal information come to light. Parliament has provided that power, but Ministers have not yet brought it into force – they must do so.”
The committee also approved of the government’s commitment to ban referral fees, believing that they created a financial incentive to break the law. The committee cited the case of a nurse who passed on patient details to her partner who worked for an accident management company, but was only fined £150 per offence, despite being paid £900 for every referral.
Power to the ICO
The committee also called on the Information Commissioner to receive more powers to compel audits of companies. Currently, the ICO offers free data protection audits, but a significant percentage of companies have declined this offer.
It also recommends the ICO becomes directly responsible to, and funded by, parliament, saying that the issue of referral fees may have been tackled sooner if it had been given such powers sooner.
The Information Commissioner Christopher Graham welcomed the committee’s findings, “The Government should lose no more time in bringing in appropriate deterrent sentences to combat the unlawful trade in personal data.”
“We need action, not more words. Citizens are being denied the protection they are entitled to expect from the Data Protection Act.”