Data thieves should face jail sentences, MPs urge

British courts should be able to impose jail sentences on people who steal and illegally sell personal data, MPs have urged.

Justice Committee chair Sir Alan Beith MP has backed calls for data thieves to receive jail sentences. Photo credit: Berwick Lib Dems

The UK Data Protection Act 1998 carries a provision for custodial sentences for malicious data breaches, but the provision, added in 2008, has not been brought into force. The government should bring this power into play for judges and magistrates, the House of Commons Justice Committee said in a report released on Thursday.

At present, people can be fined for illegally selling data, but the amounts of money that can be gained by passing on information outweigh the penalties, Justice Committee chair Sir Alan Beith MP noted.

"It's common for significant financial gain to be involved in the improper transfer of information," Beith told ZDNet UK. "Clearly there's no real [financial] deterrent effect."

The Justice Committee report gave case studies of the theft and sale of confidential information. One concerned a nurse who provided patient details to her partner, who worked at an accident management company. The nurse was fined £150 per offence, whereas accident management companies pay up to £900 for an individual's details.

'Blagging' — conning organisations into handing over data — and selling data are "serious offences that cause great harm", according to Beith.

The government is waiting for the outcome of an enquiry into media practices by Lord Leveson to decide whether custodial sentencing for data theft should be brought in, Beith said. The Leveson inquiry was set up in response to the phone-hacking scandal at the now-defunct News of the World.

The issue of data theft is not confined to the media, according to Beith, who called it "a broader problem", especially affecting the insurance and healthcare industries.

ICO audits

Another concern raised by the Justice Committee is that some misuses of data by businesses may be going unchecked because the Information Commissioner's Office (ICO) does not have the power to force private-sector organisations to undergo an audit.

The government should lose no more time in bringing in appropriate deterrent sentences to combat the unlawful trade in personal data.

– Christopher Graham, ICO

"The government is increasingly making much wider use of the private sector," Beith said. "We need to make sure data protection is of a quality necessary for the sensitivity of the information we are talking about."

He called on the Ministry of Justice, which sponsors the ICO, to talk to the data protection watchdog about widening the powers of the ICO to include the private sector. In particular, they should discuss whether the current processes are too cumbersome, he said.

Christopher Graham, the UK's information commissioner, also backs custodial sentences for data theft. "The government should lose no more time in bringing in appropriate deterrent sentences to combat the unlawful trade in personal data," Graham said in a statement on Thursday.

"Lord Justice Leveson's inquiry into press standards should not be used as an excuse for inaction," he added. "We shouldn't have to wait a further year for the 2008 legislation to be commenced, when today's highly profitable trade in our data has little if anything to do with the press."

Inspection powers

Graham said the ICO is building a case to extend its inspection powers to industry sectors, including motor insurance and financial services. The organisation has been has been asking for wider powers of inspection for a number of years.

"We have made the case to the government over many years that we believe that to be able to enforce the Data Protection Act properly, we need the power to compel an audit of any organisation that processes personal data," an ICO spokeswoman said.

"The government has consistently resisted giving us such a general power, but in 2009 did introduce limited provisions which enable us to be given this power for a particular business sector, once we have made a case relating to that sector," she added.

Those powers came into force in April 2010, while the ICO has been building a business case for inspection powers for the motor insurance and financial services sectors for over a year and a half.

The Ministry of Justice said it will consider the Justice Committee report, but stressed there are already provisions in law for the courts to deal with data theft.

"People who break data protection laws can currently face an unlimited fine," a ministry spokesperson said. "If they have also committed other offences, such as fraud or unlawfully intercepting communications, they could also face a lengthy prison sentence."