This month the Information Commissioner, Christopher Graham, repeated his call for stronger sentencing powers in relation to individuals who steal personal information.

This call comes after a recent incident highlighted the inadequacy of the current options available to the Court to both punish and deter would-be data thieves.

What happened?

This recent incident involved an employee of a car rental company who stole the personal data, including details of the policy holder and their insurance claim, of almost 28,000 people. She then sold it to an accident claim company o make nuisance calls.

In this instance the employee, Sindy Nagra, pleaded guilty to unlawfully obtaining, disclosing and selling personal data, a criminal offence under section 55 of the Data Proection Act 1998 (the “DPA”). Whilst the Courts have the power to impose unlimited fines in respect of such offences, they do not have the power to impose custodial sentences.

Despite Nagra selling this information for £5,000, the Court only fined her £1,000 and, whilst she was also ordered to pay a £100 victim surcharge and £864 prosecution costs, Nagra still made a profit.

Equally, the recipient of this stolen personal information was also guilty of an offence under section 55 of the DPA. They were also fined £1,000, ordered to pay a victim surcharge and was required to pay £864 prosecution costs.

What was the ICO reaction?

In response to this incident and the outcome of the Court, the Information Commissioner, Christopher Graham, commented that

“This fine highlights the limited options the Courts have. windy Nagra got £5,000 for stealing thousands of people’s information. She lost her job when she was caught and has no money to pay a fine, and the courts have to reflect that, but we would like to see the courts given more options: suspended sentences, community service, and even prison in the most serious cases.

Key messages

  • The ICO have been calling for stronger powers for some time now. With so many thefts of personal data being reported in the media, it is only a matter of time before Westminster recognises the need for greater deterrents and punishment or these offences;
  • Anyone who unlawfully obtains or discloses personal data without the consent of the data controller is likely to be guilty of an offence under section 55 of the DPA. However, it is important that all employees understand what they can and cannot do with the information they access as part of their employment as otherwise, in the event that they do take and sell such information, it may prove difficult to establish and enforce that an offence has been committed.
  • Any organisation purchasing personal data must ensure that they are obtaining it lawfully and that they have the right to use it for their intended purposes. Otherwise, by obtaining it and/or using it, they too will be guilty of committing an offence.

How can Merrion Data Consultants help?

We can help you by:-

. Ensuring that you have appropriate policies and procedures in place to help protect your business against data theft and disclosures.

. Supporting you when you buy customer information to ensure that the information you receive can be used for your intended purposes and that you won’t break the law.

. Working with you to establish whether or not data has been stolen and if so, what action can be taken to manage the incident and mitigate the impact for your business and those affected.

If you would like to discuss the further, please contact us here.