Anyone trading illegally in personal data should be sent to prison for up to two years, according to the UK's Information Commissioner. Richard Thomas warned today that confidential information is too easily stolen from public and private organisations.
Mr Thomas is using special powers under the Data Protection Act to present a 48-page report to Parliament which describes an industry devoted to illegally buying and selling people’s personal information such as current addresses, details of car ownership, ex-directory telephone numbers or records of calls made, criminal records and bank account details.
Private investigators, tracing agents and their operatives – often working loosely through several intermediaries – are the main suppliers, according to the report. Information is usually obtained by making payments to staff or impersonating the target individual or another official. Some victims are in the public eye; others are entirely private citizens.
The ultimate buyers of illegally obtained personal information include journalists, financial institutions and local authorities wishing to trace debtors, estranged spouses seeking details of their ex-partner’s whereabouts or finances and criminals intent on fraud or witness or juror intimidation.
Up to £750 is paid for telephone account enquires, according to one investigation. In another case, an agent was invoicing up to £120,000 a month for tracing activities.
The report arises from investigations carried out by the Information Commissioner’s Office, sometimes using search warrant powers. Documents seized revealed evidence of a large scale market in the trading of personal information.
It is an offence under section 55 of the current Data Protection Act 1998 to obtain, disclose or procure the disclosure of personal information without the consent of the organisation holding the data. In the six years since the Act came into force, some 1,000 section 55 complaints reached the Information Commissioner’s Office.
Between November 2002 and January 2006, the Information Commissioner brought 25 prosecutions in Crown and Magistrates courts in England and Wales. Convictions were obtained in 22 cases; but the highest fine was £1,000 and most penalties were much lower.
The penalties are too low, says the Commissioner, and they do not have a deterrent effect.
"People care about their privacy and have a right to expect that their personal details should remain secure from those with no right to see them," said Mr Thomas. "Disclosure of even apparently innocuous personal information can be highly damaging in some situations – such as the address of a woman fleeing domestic violence."
He warned that organisations can also be victims and warned them to be fully aware of the risks of unauthorised disclosure. He urged them to take strong precautions. "Plugging the gaps becomes ever more urgent as the government rolls out its programme of joined-up public services and joined up computer systems,” he said.
Mr Thomas added: “Low penalties devalue this serious data protection offence in the public mind and mask the seriousness of the crime, even within the judicial system. They do little to deter those who seek to buy or supply private information that should remain private."
His office proposes a prison sentence of up to two years for people convicted by the crown courts and up to six months for those found guilty by magistrates. "The aim is not to send more people to prison," he said, "but to discourage all who might be tempted to engage in this trade – whether as suppliers or buyers."
The Commissioner will publish a follow-up report in six months to record responses, reactions and progress towards implementing the report’s proposals. He is also hoping that the issue will be raised in Parliament.