UK Information Commissioner prosecution
The UK Information Commissioner recently took another step forward in his campaign to halt the unlawful trade in personal information.
A press release issued at the end of April confirms that a private investigation firm, Infofind Limited, has pleaded guilty to illegally obtaining personal data from the Department for Work and Pensions ("DWP") on behalf of a finance organisation. The offence involved individuals purporting to be employees of the DWP and by doing so, deceiving other DWP staff members to disclose data. s.55 of the Data Protection Act 1998 ("DPA") provides that it is an offence to unlawfully obtain, disclose or sell personal information, without the consent of the data controller.
The Information Commissioner, in his May 2006 report, "What Price Privacy?" has recommended strengthening the penalties for an offence under s.55, calling for prison sentences of up to 2 years. The Department for Constitutional Affairs has also acknowledged that the current penalties in the DPA for s.55 offences are not sufficiently strong. The concern is that an unlawful disclosure of information can be highly damaging for the individuals concerned, even where the information is just an address or date of birth.
This case and the report is obviously of direct interest to the private investigation industry. However, it has wider ramifications. Firstly, it is clear from What Price Privacy? that the Information Commissioner believes the law is framed in a way that applies to all businesses that request the disclosure of personal data and those who supply it, including any intermediaries. Therefore any business involved in obtaining personal data must be aware of the risks of committing an offence under s.55 DPA, even where the process has been outsourced. What Price Privacy? flags the media, insurance companies, lenders, creditors and local authorities as often being the ultimate "buyers".
Secondly, it is also clear from the report that the trade in personal data is a lucrative one and even with increased penalties, will be difficult to halt entirely. Therefore, it is key that businesses which are at risk of being targeted by bogus callers have trained their staff to identify people that are trying to obtain personal data by deception. This will assist demonstrate that the business is taking appropriate technical and organisational measures against unauthorised processing of personal data under the DPA.
This article is reproduced from Eversheds e80 service. You can find out more about Eversheds e80 and search the Eversheds e80 archive at www.eversheds80.com.
e80 is provided by Eversheds for information purposes only and should not be regarded as a substitute for taking legal advice. It is reproduced here by kind permission of and is © Eversheds.
Discuss This Article