ICO Demands Jail For Data Protection Offenders

The Information Commissioner’s Office (ICO) has asserted that it supports jail sentences for the most flagrant breaches of the Data Protection Act (DPA), the UK law embodying the EU’s European Data Protection Directive.

“The Information Commissioner considers that the trade in personal information justifies the possibility of a custodial sentence for the most serious offences,” the ICO stated.

Also this week, the ICO launched a consultation on the UK’s first code of practice for personal data sharing, to end on 5 January, 2011.

Prison sentences

The ICO made its case for prison sentences in a Wednesday response to a Ministry of Justice call for information on the DPA’s effectiveness. The call for information is, in turn, part of a wider process of a planned revision of EU data protection law.

The call for evidence was launched on 6 July and closed on Wednesday.

Also as part of its response, the ICO called for better coordination between freedom-of-information law and protections for the individual’s right to privacy. The ICO further said the law should provide more clarity for individuals and businesses, in particular more clarity on the scope of the law, including what constitutes personal data.

The agency said it has called for prison sentences previously in two reports laid before Parliament. In support of its argument the ICO gave the example of an ex-BNP member who had distributed a list of the party’s members, and was fined only £300.

“We need to ensure that people have real protection for their personal information, not just protection on paper, and that we are not distracted by arguments over interpretations of the Data Protection Act,” said David Smith, the ICO’s deputy commissioner and director of data protection, in a statement.

Fines not yet imposed

The ICO has the power to impose fines of up to £500,000 for serious breaches of data protection law, but has yet to use this power.

Recent serious data breaches include an incident involving the solicitors’ firm ACS:Law, which distributed online the personal information, including IP addresses, of a large number of individuals suspected of illegal file-sharing.

The European Commission has recently confirmed it will take the UK to court for breaches of the existing data protection law.

In March of this year, Viviane Reding, vice president of the European Commission responsible for Justice, Fundamental Rights and Citizenship, stated she intended to produce “a legislative proposal reforming the Directive before the end of the year”.