• Media Enquiries

    07505 448925(24hr)

The punishment doesnt fit the crime when privacy is violated

keyboardPrivate Investigators who tricked companies and public services into handing over personal information have been found guilty of breaking data protection laws. Yet, despite committing thousands of offences in a single year, the individuals will only face a relatively small fine.

This case alone highlights that serious need for our courts to issue much tougher penalties for unlawfully obtaining or disclosing personal information, otherwise these cases will continue to occur.  In this case, the court heard that nearly 2000 offences were committed between April 1 2009 and May 12 2010 by investigators working for ICU Investigations Ltd, whose clients include Allianz Insurance Plc, Hove Council, Leeds Building Society and Dee Valley Water.

Currently, unlawfully obtaining personal data is punishable by a fine of up to £5000 in a magistrate’s court, or an unlimited fine at a crown court. Many people will be shocked to learn that people who have been caught illegally accessing other people’s medical records and personal information will face such minimal penalties. We have consistently warned about the vulnerability of our personal information and we support the ICO in wanting to see stiffer penalties introduced for section 55 breaches.

If this case wasn’t evidence enough, the FT has disclosed that eight major construction companies have been forced to set up a compensation fund for construction workers whose names appeared on a secret industry “blacklist”. The blacklist, used by 40 of the biggest companies, was discovered in a raid by the Information Commissioner’s Office in 2009, and contained 3,219 names of workers and hundreds of environmentalists.

The incident raises serious questions about where the information came from.  In March 2012 the ICO’s David Clancy said: “There is information on the Consulting Association files that I believe could only be supplied by the police or the security services”. With such a violation of privacy, it is only right that individuals involved should absolutely be facing prosecution for obtaining and divulging the information.

The Information Commissioner, Christopher Graham has warned that “Public confidence in the security of information held about them is the foundation on which all sorts of online services and developments depends. The public expects to see firmer action taken against people who break the rules in this area, and Parliament needs to recognise that.”

It is hardly surprising people choose to ignore the law when the penalties handed down are trivial. It is essential that people who deliberately set out to acquire personal information without permission face the prospect of a jail sentence if people’s privacy is to be protected. Equally, the companies paying these investigators should not be able to turn a blind eye to the methods being employed on their behalf. They are paying for information and should face the full force of the law if they do not take steps to ensure it was legally acquired.

The Information Commissioner is absolutely right that tougher penalties are needed urgently and Parliament should not delay in giving him the powers he needs to protect our privacy.

Posted on by Emma Carr Posted in Data Protection, Information Commissioner

2 Responses to The punishment doesnt fit the crime when privacy is violated

  1. Ben

    I am not at all sure that tougher penalties are needed. PIs make a few hundred quid at most for tracing people, so a £5000 fine fits the bill nicely.

    In addition, civil damages are available (for breach of statutory duty) where anyone is actually harmed by these actions, as your own article makes clear.

    What is needed is more prosecutions. Without them, increased penalties will mean nothing.

  2. Anon

    Where breaches of personal and/or sensitive data are deliberate, as in the cases you mention, there needs to be much more stringent application of the law via prosecutions but also dismissal from job. Those found guilty of deliberately breaching such data should be banned from working in an environment where they could have access to such data for a lengthy period of time at least. Those buying such data illegally should face much, much greater penalties. The ICO needs to be much more visible in their education of data protection.

    Where data breaches are committed by police or other authorities holding personal/sensitive data such as medical data, the penalties need to be such that they make people stop and consider what they are doing with data. Too many people with access to data do not understand, nor are they educated sufficiently, in their obligations and the penalties they face for breaching data.

Add a Comment