In the course of a report into private investigators, the Home Affairs Select Committee has turned its attention to data protection and privacy issues. Two recommendations stand out in that context: (i) a call for the Home Secretary to use her powers under the Criminal Justice and Immigration Act 2008, s 77 to increase the penalty for offences under the Data Protection Act 1998, s 55 and (ii) a call for the government to consider combining the Information Commissioner’s role with the roles of the Interception of Communications Commissioner (whose task is to keep under review the issue of warrants for the interception of communications) and the Surveillance Commissioner (who has oversight of the use of covert surveillance and covert human intelligence sources by public authorities).
Readers will no doubt recall that the Information Commissioner has long complained of the need for much more severe penalties and clearly the Committee has been persuaded that he is right. Section 77(1) of the 2008 Act provides as follows:
The Secretary of State may by order provide for a person who is guilty of an offence under section 55 of the Data Protection Act 1998 (unlawful obtaining etc of personal data) to be liable—
(a) on summary conviction, to imprisonment for a term not exceeding the specified period or to a fine not exceeding the statutory maximum or to both,
(b) on conviction on indictment, to imprisonment for a term not exceeding the specified period or to a fine or to both.
The specified periods, as current sentencing powers stand, are six months on conviction in a magistrates’ court and two years on Crown Court conviction. The Act goes on to require that use of the power to implement must follow a period of consultation with the Information Commissioner, such media organisations as the Secretary of State considers appropriate and ‘such other persons as the Secretary of State considers appropriate’.
The call for consideration of the unification of Commissioner roles follows the recognition from the minister responsible, Lynne Featherstone, that the ‘disjunction between the different data commissioners was not ideal’. The Committee suggests that the combined role might be embodied in a new Information and Privacy Commissioner.
The relevant section of the report is set out below. It can be read in full here.
3 The remedies
37. Though there is no direct regulation of private investigators, there is some legislation which governs the acquisition, storage and use of personal information—principally the Data Protection Act 1998 and the Regulation of Investigatory Powers Act 2000. The penalties for the misuse of personal data are negligible and the there is no regime of regulatory guidance for the sector.
38. When a private investigator conducts “covert surveillance”, such as bugging, on instructions from a public authority, this activity falls under the Regulation of Investigatory Powers Act 2000. However, the Act provides no protection where the investigator’s client is a private individual. For these private cases, the main statutory protection comes from the Data Protection Act 1998.
39. There are three Commissioners with responsibilities that have a bearing on the private investigation industry: the Information Commissioner, whose responsibilities focus on the Data Protection Act; the Interception of Communications Commissioner, whose task is to keep under review the issue of warrants for the interception of communications; and the Surveillance Commissioner, with oversight of the conduct of covert surveillance and covert human intelligence sources by public authorities.
40. The division of responsibility between the Information Commissioner and the Interception Commissioner was not clear. The Minister, Lynne Featherstone, recognised that the disjunction between the different data commissioners was not ideal. She told the Committee that:
What I have always thought would be the ideal is if you had an over-arching commissioner, or not that you have an over-arching commissioner but you have the commissions co-located. I thought that might be very helpful, in terms of sharing and working together as the commissioner body.[50]
41. Personal privacy would be better protected by closer working between the Information Commissioner, the Chief Surveillance Commissioner and the Interception of Communications Commissioner. We recommend that the Government aim, before the end of the next Parliament, to co-locate the three Commissioners in shared offices and introduce a statutory requirement for them to cooperate on cases where both the Data Protection Act and the Regulation of Investigatory Powers Act are relevant. In the longer term, consideration should be given to merging the three offices into a single Office of the Information and Privacy Commissioner.
42. Most of the actions pursued by the Office of the Information Commissioner were in relation to “blagging” information in contravention of section 55 of the Data Protection Act, which deals with the unlawful obtaining, disclosure and selling of personal data and the procurement of such actions. Christopher Graham, the Information Commissioner, told us:
We are now in the 21st century, an information society, and keeping information secure is really important. All the things we want to do about open data, about data sharing, depend on people having confidence that the information they give to the authorities will stay secure […] a range of penalties need to be available, not just a modest fine.[51]
43. As the Information Commissioner emphasised, breach of section 55 of the Data Protection Act is an offence punishable only by a fine. In the Magistrates’ Court, the fine is up to £5,000, in the Crown Court, it can be an unlimited fine, but cases rarely reach the Crown Court. Typically, fines have been around £100 per count, taking account of the defendant’s means.[52] The concern that these sentencing powers were not a sufficient deterrent was raised in 2006 in the previous Information Commissioner’s reports What price privacy? and What price privacy now?.[53]
44. Section 77 of the Criminal Justice and Immigration Act, confers on the Secretary of State an Order-making power to increase the penalty for offences under section 55 of the Data Protection Act. Both the Information Commissioner, Christopher Graham, and his predecessor, Richard Thomas, believed that this power should be invoked so that a stronger and more deterrent penalty could be available to the courts.[54]
45. In order to provide a more effective deterrent, the Information Commissioner and Crown Prosecution Service could consider making greater use of powers to confiscate their criminal proceeds. The Proceeds of Crime Act 2002 gives prosecuting authorities the power to seek the recovery of any benefit the convicted defendant obtained by breaching the Data Protection Act, or any other statute. The Information Commissioner’s Office obtained confiscation orders for the first time for section 55 offences in a case before Warrington Crown Court in 2011. The defendants were made subject to confiscation orders amounting to £73,700. This stands in contrast to the cases of Steve Whittamore, Glen Mulcaire and Sharon and Stephen Anderson, who may have profited considerably from data offences, but received relatively light sentences.
46. Confiscation orders should be sought where a person is convicted of data and privacy offences and has sold the information for profit.
47. We recommend that the Home Secretary exercise her power under section 77 of the Criminal Justice and Immigration Act 2008 to strengthen the penalties available for offences relating to the unlawful obtaining, disclosure and selling of personal data under section 55 of the Data Protection Act. The current fine—typically around £100—is derisory. It is simply not an effective deterrent.