WIREDGOV

Custodial sentences need to be available to the courts to stop the unlawful use of personal information, Information Commissioner Christopher Graham will say today in an appearance before the Justice Select Committee.

The call for action comes as a bank cashier yesterday pleaded guilty to using her position to access illegally the personal details of a sex attack victim. The cashier’s husband had been convicted of carrying out the attack and was serving time in jail. Sarah Langridge - a former employee of Barclays Bank – claimed she accessed the victim’s accounts and banking records to try to build a picture of the woman who had accused her husband. Mrs Langridge was fined £800, made to pay £400 costs and a £15 victims’ surcharge in a hearing at Brighton Magistrates Court.

Information Commissioner, Christopher Graham, said:

“It beggars belief that – in an age where our personal information is being stored and accessed by more organisations than ever – the penalties for seriously abusing the system still do not include the possibility of a prison sentence, even in the most serious cases. Access to online records is now part and parcel of almost every transaction the citizen makes – with government agencies, local government, the NHS, DVLA, high street banks, insurers, social networks. This only makes the risks to privacy greater and the need for security greater still.

“The details of this case are truly shocking. The victim had a harrowing enough experience at the hands of her attacker; the revelation that her attacker’s wife was then rooting through all her personal details, for whatever purpose, would have caused even further distress.

“I note the outcome of this latest case, and I remain concerned that the courts are not able to impose the punishment to fit the crime in all cases, because the current penalty for this all too common offence is limited to a fine rather than the full range of possible sentences, including prison for the most serious cases,” Mr Graham said.

Christopher Graham will use his appearance before the Justice Committee today to call for custodial sentences to be made available to the courts as a more effective deterrent to the unlawful trade in, and access to, personal information.

Mr Graham continued:

“There has been a lot of coverage in the media about the section 55 offence – or ‘blagging’ personal information, as it is known. But this offence is not just about private investigators finding out about celebrities’ hospital appointments. This crime has the potential to devastate ordinary people’s lives. The existing paltry fines are not enough to deter. The government must show they take this problem seriously by commencing the legislation Parliament put in place in 2008. If courts were able to impose the full range of sentences from fines to jail terms, including other sanctions such as community service where appropriate, we would at last have an effective deterrent to stop people engaging in this criminal activity.

“Blagging isn’t hacking, but the issue has got caught up in the controversy over press behaviour. Unfounded concerns about press freedom were a distraction in 2008 and they should never have halted the introduction of stronger sanctions. They should not delay any further the commencement of the powers needed to combat this modern scourge.”

Section 55 of the Data Protection Act makes it an offence to “knowingly or recklessly, without the consent of the data controller, obtain or disclose personal data.” The current penalty for committing the offence is a maximum £5,000 fine if the case is heard in a Magistrates Court and an unlimited fine in a Crown Court.

In this latest case, Mrs Langridge’s offences were uncovered following a court hearing concerning her husband’s sentence for committing a serious sexual offence. His victim recognised Mrs Langridge in court as working at the local bank branch she used. Concerned that her account had been unlawfully accessed, the victim contacted Barclays bank and the police. The bank’s enquiries found that Mrs Langridge had regularly accessed the victim’s records on eight separate dates over a period of eight months – the period during which her husband’s court case was ongoing.

Mrs Langridge viewed the victim’s account records including her personal details, current account entries, lending records and employer details. During an interview under caution, the defendant claimed that she had not made a record of any of the information she viewed and had not disclosed it to her husband or any other third party.

Other section 55 offences where the Information Commissioner’s Office (ICO) has successfully brought prosecutions include:

• In June 2011, a personal injury claims company employee was prosecuted for illegally obtaining NHS patients’ information over a four month period. Martin Campbell, a former employee of the Bury-based personal injuries company Direct Assist, obtained the information from his former girlfriend who worked at an NHS walk-in centre. He then used it to generate leads for personal injury claims.  He was fined £1,050 and made to pay £1,160 towards prosecution costs.
• In June 2011, two former employees of UK mobile operator T-Mobile were found guilty of illegally stealing and selling select customer data from the company in 2008.  David Turley and Darren Hames were given conditional discharges – one of the lightest sentences possible – but were made to pay a total of £73,700 in confiscation costs under the Proceeds of Crime Act. This was to recover some of the money the pair made from selling the information. Sentencing the pair, the judge (His Honour Judge Woodward) noted that the sentencing powers of the court were limited and that, taking into account the defendants’ ability to pay, ‘any further financial penalty…would not reflect either of your true culpability.’
• Two former members of the BNP posted the party membership list on the internet in November 2008. When the case was brought to court by Dyfed Powys Police, the District Judge at Nottingham Magistrates Court said: “It came as a surprise to me, as it will to many members of the party, that to do something as foolish and criminally dangerous as you did will only incur a financial penalty.” One man was fined £200.
• In June 2008, private investigators Christopher Hackett and Darren Whalley pleaded guilty to blagging personal information from BT for a client who was trying to trace her partner. Christopher Hackett was able to blag the information by pretending to be a BT employee. They were fined £400 and £500 respectively.
• The police have also investigated a number of incidents where their own staff have unlawfully accessed people’s personal details from the Police National Computer. In 2007 a 79 year old man died shortly after a brick was thrown through his lounge window. The man had been involved in a dispute with a woman over a parking space. The woman’s husband subsequently asked a serving police officer to identify the pensioner’s address. He and his brother then went to the pensioner’s house. They were both convicted of manslaughter and the police officer was fined £1200 and resigned from the force.
• In 2005, a private investigator working for Pearmac Limited was fined £6,250 after trying to obtain a rape victim’s address from her GP and utility company. The rape victim believed that the attempts to obtain her details could be part of an act of revenge directed at her for reporting and giving evidence against her attacker.

The case for making available custodial sentences as the penalty for  section 55 offences was overwhelmingly supported by respondents to a government consultation “Increasing penalties for wilful misuse of personal information” in 2006. Indeed, the Government itself recognised the case was overwhelming at the time, and gave a commitment for introducing custodial sentences. This provision was introduced to Parliament during the passage of the Criminal Justice and Immigration Act 2008, but was amended at the report stage in the House of Lords to provide the power to the Secretary of State to introduce the custodial sentence by statutory instrument. Section 77 (the custodial penalty) is accompanied by an enhanced ‘reasonable belief’ defence for the Special Purposes (section 78). Both sections remain to be commenced.

The ICO continues to see a rise in reported allegations of section 55 offences. Numbers reported during 2010 to 2011 are up 18% against figures reported during 2008 to 2009.

Notes to Editors

• The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
• The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
• Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
• Fairly and lawfully processed
• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept for longer than is necessary
• Processed in line with your rights
• Secure
• Not transferred to other countries without adequate protection
  
• The ICO is on Twitter, Facebook and LinkedIn, and produces a monthly e-newsletter
• Contact our press office on 0303 123 9070 and at ico.gov.uk/press

Related items

• Justice Select Committee website
• Section 55 of the Data Protection Act