ICO calls for prison sentences for serious personal data breaches

The law protecting personal data needs to be strengthened so those guilty of serious abuses can be effectively punished Information Commissioner Christopher Graham has said.

Speaking at the Justice Select Committee this morning, Graham said that in these cases, the courts should be able to jail someone rather than just fine them; which is the only penalty available under the Data Protection Act (DPA).

To illustrate his point, Graham outlined a recent case where the personal information of the victim of a serious sexual attack had been accessed by the attacker's wife.

Sarah Langridge, whose husband is in jail for the attack, used her position as a cashier with Barclays bank to illegally access the victim's personal records. This is a breach of Section 55 of the DPA, under which it is an offence to "knowingly or recklessly, without the consent of the data controller, obtain or disclose personal data".

"It beggars belief that, in an age where our personal information is being stored and accessed by more organisations than ever, the penalties for seriously abusing the system still do not include the possibility of a prison sentence, even in the most serious cases.

"Access to online records is now part and parcel of almost every transaction the citizen makes, with government agencies, local government, the NHS, DVLA, high-street banks, insurers, social networks. This only makes the risks to privacy greater and the need for security greater still."

The current penalty for committing an offence such as Mrs Langridge's is a maximum £5,000 fine if the case is heard in a Magistrates' Court or an unlimited fine in a Crown Court.

Mrs Langridge's case was heard in Brighton Magistrates' Court, where she pleaded guilty, claiming she had used the information to build a picture of the woman who had accused her husband. She claimed that she had not made a record of any of the information she viewed, nor disclosed it to her husband or any other third party.

Despite the seriousness of the offence, she was only fined £800, made to pay £400 costs and a £15 victims' surcharge. Graham said this didn't send a strong enough message to deter such offences.

Graham said: "The details of this case are truly shocking. The victim had a harrowing enough experience at the hands of her attacker; the revelation that her attacker's wife was then rooting through all her personal details, for whatever purpose, would have caused even further distress.

"I note the outcome of this latest case, and I remain concerned that the courts are not able to impose the punishment to fit the crime in all cases, because the current penalty for this all too common offence is limited to a fine rather than the full range of possible sentences, including prison for the most serious cases," Graham added.

He will also call for custodial sentences to be made available to the courts as a more effective deterrent to the unlawful trade in personal information as well.