Powers of the Information Commissioner’s Office

The ICO (Information Commissioner’s Office) has the power to bring enforcement action against individuals if they steal personal data. Section 55 of the Data Protection Act covers the offence of stealing personal data and is the section under which several individuals have recently been fined.

Section 55 Unlawful obtaining etc. of personal data.

(1) A person must not knowingly or recklessly, without the consent of the data controller(a) obtain or disclose personal data or the information contained in personal data, or(b) procure the disclosure to another person of the information contained in personal data.

(4) A person who sells personal data is guilty of an offence if he has obtained the data in contravention of subsection (1).

(5) A person who offers to sell personal data is guilty of an offence if—(a) he has obtained the data in contravention of subsection (1), or(b) he subsequently obtains the data in contravention of that subsection.

If the court action results in a conviction, the level of the fine that can be imposed is unlimited but the ICO does not have the power to impose a custodial sentence. However, the Information Commissioner believes that fines may not be enough of a deterrent and has called for stronger sentencing powers for people who are convicted of stealing personal data.

The commissioner explained that cold-calling companies, who are behind the plague of unwanted calls about PPI and insurance claims often pay large amounts of money to people to steal personal data and pass it on. Fines, he said, were not enough of a deterrent to stop this kind of behaviour. He would like to see the courts given more powers, including suspended sentences, community service, and – if the case is particularly serious – even prison.

The ICO’s enforcement record

In the meantime, the ICO has shown that it is perfectly willing to impose heavy fines on both organisations and individuals who are found to have breached data protection regulations.

Since April 2015, they have taken the following action:

April 2015 Lismore Recruitment Ltd prosecuted for failing to notify with the ICO, and a caution given to an employee of China Bridge Group (UK) for a criminal breach of section 55 of the DPA.

May 2015 A civil monetary penalty of £160,000 issued to South Wales Police.

August 2015 A civil monetary penalty of £180,000 issued to the Money Shop after the loss of computer servers holding details of several thousand customers.

September 2015 A civil monetary penalty of £200,000 issued to Home Energy and Lifestyle Management Ltd. for automated phone calls.

October 2015 A civil monetary penalty of £130,000 issued against Pharmacy 2U

November 2015

Enforcement notices issued against Nuisance Call Blocker Ltd and Telecom Protection Service Ltd, as well as civil monetary penalties of £170,000.

A civil monetary penalty of £200,000 issued against the Crown Prosecution Service following the theft of laptops.

Aston James Consulting fined £1,430 for failing to comply with an enforcement notice.

December 2015

A civil monetary penalty of £30,000 issued against Telegraph Media Group Ltd for sending unsolicited emails.

Bloomsbury Patient Network issued with a penalty of £250 for failing to protect the privacy of individuals.

Two people prosecuted under section 55 of the DPA for unlawfully obtaining personal data; one was fined £300 and the other £1,000.

January 2016

RFF Services (UK) prosecuted for failing to comply with an enforcement notice; they were fined £200. An individual was fined £1,000 for unlawfully obtaining and disclosing personal data.

February 2016

A civil monetary penalty of £350,000 issued to ProDial Ltd, and one of £70,000 to Direct Security Marketing Ltd for a series of frightening automated calls sent in the middle of the night.

Since March, another sixteen individuals and organisations have been fined by the ICO. The total amount of fines was £1,736,000. The smallest was £1,000 and the largest £250,000.

The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR)

These sit alongside the Data Protection Act. They give people specific privacy rights in relation to electronic communications.

The regulations cover:

• Marketing by electronic means, including marketing calls, texts, emails and faxes.

• The use of cookies or similar technologies that track information about people accessing a website or other electronic service.

• Security of public electronic communications services.

• Privacy of customers using communications networks or services as regards traffic and location data, itemised billing, line identification services (e.g. caller ID and call return), and directory listings.

What do organisations need to do?

• Check that they are adhering to the eight data protection principles

• Ensure that they comply with the PECR

• Inform all employees of their obligations under Section 55 of the Data Protection Act.

• Review and amend where necessary staff handbooks, policies and contracts of employment to cover data theft and its consequences