 
|
|
In partnership with:
01 August 2006 UK plans prison terms for personal data abuseSA MathiesonThe UK government’s plan to introduce imprisonment for those found guilty of illegally buying and selling personal data will not affect employers or officers of an organisation, as long as they did not order or encourage the breach. On 24 July, the Department for Constitutional Affairs (DCA) opened a consultation on its plan to introduce prison sentences of up to two years for those breaching the UK’s Data Protection Act 1998. The present maximum penalty is an unlimited fine. The change had been requested in May by Richard Thomas, the information commissioner (the UK’s statutory data protection officer), in his report to parliament What Price Privacy? This complained that the profits from abusing personal data were so great that the few fines issued were an insufficient deterrent. "Tougher penalties should not be seen as a barrier to data sharing in the public and private sector,” said Thomas, in a statement last week welcoming the DCA’s consultation. “However, it is important that the government and other public bodies retain public trust and confidence.” In terms of how it affects organisations, the DCA consultation document says that an employee who sold what he knew to be personal information from his organisation to a journalist would be guilty of the offence, but that his employer would not. Rosemary Jay, a partner and head of the information law team at law firm Pinsent Masons, says the proposed change will alter only the punishments available under the Data Protection Act. “There are some offences where an employer is vicariously liable for what an employee does, and this is known as strict liability,” she says, including serving alcohol to children, but this will not be extended to personal data breaches by the DCA proposal. However, Jay – who served as the information commissioner’s legal adviser from 1987 to 1999 – says that employers having strict liability for employees’ breaches of data protection law may be applied in future. She points out that abusing personal data only became illegal in the UK in the mid-1990s, and that the penalties have already been strengthened once, when the Data Protection Act was introduced. “I think this is part of a process, during which the surreptitious obtaining of information becomes less and less acceptable,” Jay says. DCA consultation, open until 30 October: http://www.dca.gov.uk/consult/misuse_data/cp0906.htm Information commissioner’s What Price Privacy? report:
http://www.ico.gov.uk/eventual.aspx?id=17613
|
|
