Christopher Graham, the Information Commissioner (ICO) for England and Wales, has hit out at the current legislation on data protection, saying that it is too lenient. 

"The existing paltry fines for Section 55 [of the Data Protection Act] offences are simply not enough to deter people from engaging in this lucrative criminal activity. The threat of jail, not fines, will prove a stronger deterrent," he said. There has recently been a flurry of high profile cases involving a breach of the Data Protection Act. Back in March 2009, it was revealed that the Consulting Association had used the personal data of thousands of workers in the building trade to create a blacklist of union officials and troublemakers. Dozens of major building companies had subscribed to the service, which allowed them to unofficially "vet" potential employees. 

The individual behind the activity was eventually prosecuted for failure to notify the Information Commissioner of his status as a data controller, but was not prosecuted for the actual sale of the details. In another case, an only just recently, it emerged that employees of T-Mobile had sold the personal data of millions of customers to T-Mobile's competitors, including the expiry date of their contracts, allowing the competitors to make approaches to customer whose contracts were about to expire. The matter was referred to the ICO by T-Mobile itself, who said that it had no knowledge of the activities of its staff. It is understood that substantial money was paid to the employees for the data. The Government is currently consulting on changes to the penalties for breach of the Data Protection Act. It is proposed to increase the level of the fine which could be imposed to £500,000 and provide for jail terms of up to 1 year on summary conviction or 2 years on indictment.

Commentators have criticised the low level of sanctions available for those convicted of breaching the Data Protection Act, particularly when set against the backdrop of potential value of the information released, the maximum possible fine of £5,000 seems paltry. When compared to the amount of money generated by The Consulting Association and that paid to the T-Mobile employees for the data sold by them, it would seem to be a high reward/low risk activity for those wishing to make a quick buck. 

Published - December 2009 This article is provided for general information only. 

Please do not make any decision on the basis of this article alone without taking specific advice from us. stevensdrake will only be responsible for the advice we give which is specific to you.