The Information Commissioners Office (ICO), has bought four prosecutions over the past seven months against employees who have illegally accessed and disclosed personal data held by their employer. These have led to fines of up to £4,391. More significantly from a personal perspective, at least three of the relevant employees are no longer in their post following such illegal access.
The ICO has made clear that it wants more effective deterrent sentences, including the threat of prison, to be available to the courts to stop the unlawful use of personal information.
Chris Grayling, Secretary of State for Justice, wrote to Keith Vaz last month advising that the public will be consulted as to whether there should be custodial sentences for breaches of the Data Protection Act 1998 (DPA).
Unlawfully obtaining or disclosing personal data is a criminal offence under section 55 of the DPA. The offence is punishable by way of ‘fine only’ – up to £5,000 in a Magistrates Court or an unlimited fine in a Crown Court.
The DPA also requires:
that personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes (“2nd DPP”); and
a data controller to implement appropriate technical and organisational measures and a level of security appropriate to the harm that may result from unauthorised or unlawful processing or accidental loss, destruction or damage of personal data and the nature of the personal data to be protected (“7th DPP”).
Lessons to be learned from the recent prosecutions and fines include:
Nathaniel Lane is a Solicitor in Michelmores’ Technology, Media and Communications Team who has an ISEB Certificate in Data Protection. For further information on this matter or data protection generally, please contact Nathaniel at email@example.com or on 0207 788 6313.