Law Commission Consultation and Data Protection

March 2, 2017

The Law Commission is in the middle of a consultation period
(which ends on 3 April) relating to the legislation concerned with the
protection of official data. The basic summary document can be accessed here.
I won’t be tempted to get dragged into the controversy that has surrounded that
consultation – at least not here (see me in the pub later, when I can give full
vent to my half-informed views). If the controversy has passed you by and you
want to explore it, there are interesting starter points here
and here.

My aim in the blog post is to highlight the points raised in
that consultation about personal information disclosure offences and, in
particular, the Data Protection Act 1998, s 55. I fear that an opportunity to be
heard on a matter of obvious interest to many SCL members may be missed.

This is what the summary document says on personal disclosure
information offences and s 55 (the refs are to numbered paras in the full
document):

4.1 Our consultation paper
identifies over one hundred offences which deal with unauthorised disclosure
and are contained in legislation other than the Official Secrets Acts
1911-1939; or 1989, referred to for convenience as “miscellaneous unauthorised
disclosure offences”. Section 55 of the Data Protection Act 1998 is the most
well-known and the most often invoked offence of this type.

4.2 Broadly speaking, these
miscellaneous offences fall into two categories. The first category contains
those offences which criminalise the disclosure of personal information held by
public bodies, broadly defined. The second category contains those offences
that criminalise the unauthorised disclosure of information concerning national
security, such as information that relates to the enrichment of uranium.

4.3 We consider some of the
difficulties with the law relating to the disclosure of personal information
and ask whether consultees agree with our assessment that a full review of
personal information disclosure offences is needed. The difficulties we have
identified with the current law are examined comprehensively and include, for
example, lack of uniformity in the drafting of the current law; inconsistency
around whether consent is needed to commence prosecution and lack of uniformity
around whether the recipient of the information is criminalised.

Do consultees have a view on whether a full review of personal
information disclosure offences is needed? [4.59]

4.5 This chapter also examines some
issues that our research has uncovered and which relate to the offence
contained in section 55 of the Data Protection Act 1998.

Section
55 of the Data Protection Act 1998

4.6 Section 55 makes it an offence
knowingly or recklessly to obtain, or to procure the disclosure to another of
personal data without the consent of the data controller. This is a
freestanding offence in the sense that, unlike most of the offences examined in
the above section, it does not accompany a statutory information gateway. The
offence can be committed by individuals in both the public and private sectors
and the maximum sentence on conviction, either summarily or on indictment, is
an unlimited fine. Prosecutions under section 55 of the Data Protection Act
1998 can only be brought by the Information Commissioner, or by the Crown
Prosecution Service with the consent of the Director of Public Prosecutions.

4.7 Two important reforms to
section 55 of the Data Protection Act 1998 Act were included in the Criminal
Justice and Immigration Act 2008. First, section 77 of the 2008 Act gives the
Secretary of State the power to make section 55 of the 1998 an imprisonable
offence with a maximum sentence of 12 months’ imprisonment and/or a fine on
conviction in the magistrates’ court; and two years’ imprisonment and/or a fine
on conviction in the Crown Court. Before exercising the power to bring this
provision into force, the Secretary of State must consult with the Information
Commissioner, appropriate media organisations and other appropriate persons (Criminal
Justice and Immigration Act 2008, s 77(4)). Although section 77 of the 2008 Act
has been granted the Royal Assent, the Secretary of State has not yet exercised
the power to bring it into force.

4.9 Secondly, section 78 of the
2008 Act inserts a new statutory defence into section 55 of the Data Protection
Act 1998. This defence may be pleaded if the individual who disclosed the
personal data was acting with a view to publishing “journalistic, literary or
artistic material”; and with the reasonable belief that the disclosure,
obtaining or procuring was in the public interest. Section 78 is not yet in
force.

4.10 Our consultation paper
identifies some problems relating only to the Data Protection Act 1998. These
problems including the maximum available sentence (currently a fine) which does
not necessarily seem capable of reflecting adequately the seriousness of the
offence and the fact that the data controller is the victim of the unauthorised
disclosure, rather than the individual whose personal data has been disclosed.

4.11 Given the problems we have
identified with the offence, our provisional conclusion is that section 55
requires review to assess the extent to which it adequately protects personal
information. (Although the offence in section 55 contains a number of
deficiencies, we believe it is also worthy of note that it does demonstrate
that it is possible to craft an overarching offence that protects personal
information.)

4.12 Do consultees have a view on whether the offence in section 55 of
the Data Protection Act 1998 ought to be reviewed to assess the extent to which
it provides adequate protection for personal information? [4.85]