I have drawn the conclusion that the Government will not commence the custodial nature of Section 55 offence in the Data Protection Act this side of the General Election (and within the next few years). The reason is familiar: fear of upsetting the press.
I also think that the ICO needs to adopt another strategy to deal with the problem of not having the custodial element available; for instance, by passing over suitable cases to the public prosecutors and/or using the Monetary Penalty Notice (MPN).
As is well known, some of the tabloids and broadsheets are to the right of UK politics. Most of these newspapers take an anti-European stance and some support the idea of an “in-out” referendum; most of these newspapers also support the alternative Leveson Royal Charter drafted by their proprietors. In addition, some proprietors of these newspapers support those Conservative Euro-sceptic back-benchers who want Mr. Cameron either tied to a “UKIP-like” political-agenda (e.g. on human rights, immigration etc) or not leading the Party at all.
Suppose you are advising Mr Cameron in this febrile political atmosphere? With the next General Election about a year or so away, how about suggesting an offence that could result in Daily Mail journalists being locked up? Even after the Election, I don’t think an incoming Government say: “Hey, let’s implement S.55?”.
That is why, in a nutshell, I think the S.55 offence will not see the light of day for the next four or five years, when I suspect any Data Protection Regulation (if it survives – another story) will force the issue. The Regulation would also give Government the perfect alibi when implementing the custodial element of this offence: “Don’t blame me. Look what those nasty Europeans are imposing on us”. (No doubt, another reason for leaving the EU).
The issue has come to a head with the ICO’s Press Release (23 May 2013) concerning a former manager of a health service based at a council-run leisure centre in Southampton. This manager used sensitive personal data (medical) relating to over 2,000 people, and a fortnight ago was prosecuted under section 55 of the Data Protection Act at West Hampshire Magistrates Court. He was fined £3,000 and ordered to pay a £15 victim surcharge and £1,376 prosecution costs.
The ICO said:
“This case shows why there is a need for tough penalties to enforce the Data Protection Act. At very least, behaviour of this kind should be recognised as a 'recordable offence' which it isn't now. For the most serious cases the current 'fine only' regime will not deter and other options including the threat of prison should be available. The necessary legislation for this is already on the statue book but needs to be activated.
How many times, over the last decade, have you heard the ICO say something like the quote above? Well, if I were ICO, I would not “go there” again.
So what is my suggestion?
Well, I would pass serious cases like this to the Director of Public Prosecutors asking him to assess whether there was a prospect of a custodial offence:
• under the Computer Misuse Act (as personal data are often on a computer) and unauthorised access to a computer should equate with using computerised personal data without the consent of the data controller;
• of Malfeasance in Public Office (this is a common law offence – see references below) which applies to all public servants (as in this case); or
• under sector specific legislation that applies to certain information held by public authorities (e.g. Census, Official Secrets and Social Security legislation has these offences).
Secondly, I would take a close look at the Monetary Penalty Notice (MPN). According to the Press Release, the convicted manager “took the information hoping to use the data for a new fitness company he was setting up”. Ergo, his company was a data controller and could have actually processed sensitive personal data unlawfully (and the data controller should have known that this is the case).
So, it is possible that the manager’s company could be subject to a MPN that then puts it out of business; well if a business depends on the unlawful processing of sensitive personal data it probably deserves it. Even if the company went into bankruptcy before the penalty could be recovered (as with the case of ACS Law), the message that a MPN would send would be unmistakeable.
Even if the manager moved jobs to by some other employer, that employing data controller could have benefitted by the processing of sensitive personal data unlawfully. Here the substantial breach could be associated with the First Data Protection Principle on the grounds of “unlawful processing”. There again, the MPN could be in the frame.
Then I would look at the manager’s previous employer. What did this data controller do with respect to leavers procedures? Are leaving employees told that they cannot use or disclose personal data they have been privy to? Is there a breach of the Seventh Principle?
Finally, I would challenge tosh like this published by the NHS on its home to reassure the public. Read on to find one obvious mistake:
“There are strict laws and regulations to ensure that your health records are kept confidential and can only be accessed by health professionals directly involved in your care…. Under the terms of the Data Protection Act (1998) …. “It is a criminal offence to breach the Data Protection Act (1998) and doing so can result in imprisonment”. (Quote present on the site’s home page on 5 June 2013; I wonder how long it remains!)
If I were ICO, I would insist that this sentence would be replaced by: “It is a criminal offence to breach the Data Protection Act (1998); the penalty associated with this offence might be insignificant, for example when compared with what individuals might gain from committing the offence”.
References:
ICO press release re the DPA offence: http://www.ico.org.uk/news/latest_news/2013/leisure-centre-employee-prosecuted-for-unlawfully-obtaining-health-information-23052013
More on malfeasance in public office: http://amberhawk.typepad.com/amberhawk/2011/01/absence-of-custodial-data-protection-offence-increases-likely-use-of-malfeasance-in-public-office.html
NHS website with tosh about the DPA: http://www.nhs.uk/NHSEngland/thenhs/records/healthrecords/Pages/overview.aspx
Comments
You can follow this conversation by subscribing to the comment feed for this post.