MPs demand prison for breaches of the Data Protection Act

However the ICO argues that monetary penalties are a better way to deal with companies that breach the DPA

MPs have demanded custodial sentences for breaches of the Data Protection Act, stating that the existing policy of fining offenders is an inadequate deterrent.

In a Justice Select Committee report, committee chairman Sir Alan Beith MP argues that such breaches are serious offences, and small financial penalties are an ineffective deterrent.

"Using deception to obtain personal information, or selling it on without permission are serious offences that can cause great harm.

"Fines are used to punish breaches of data protection laws, but they provide little deterrent when the financial gain exceeds the penalty."

The report also warns that some misuses of personal data are not being investigated properly, as the Information Commissioner's Office (ICO) lacks the power to force organisations to undergo information audits.

"The Information Commissioner's lack of inspection power is limiting his ability to identify problems or investigate potential data abuses," says Beith.

"Ministers must examine how to enable the Commissioner to investigate properly without increasing the regulatory burden on business or the public sector."

Speaking exclusively to Computing, Deputy Information Commissioner David Smith explained that these powers are already provided for in the Criminal Justice and Immigration Act of 2008, but the Secretary of State has yet to bring them into force.

"We're saying go ahead and do it, there's a serious problem and we need custodial sentences, there's no need to wait until the Leveson Enquiry."

The Leveson Enquiry is an investigation into the issues raised by the News of the World phone hacking scandal, begun this year. Lord Justice Leveson is the chairman of the enquiry.

MPs demand prison for breaches of the Data Protection Act

However the ICO argues that monetary penalties are a better way to deal with companies that breach the DPA

Smith stated that the government has previously confirmed that it intends to wait for Lord Leveson's results before it brings these new powers for the Information Commissioner's Office (ICO) into force.

"The government told us that they're not inclined to bring these measures into force until the enquiry is concluded," he said.

Smith added that it's not unusual for there to be a long hiatus between new powers being conferred by an Act and their actual enforcement.

"Section 56 of the Data Protection Act 1998 (DPA) deals with public access to their criminal records. We're still arguing for that to be implemented."

Smith concluded that while custodial sentencing would be appropriate where an individual has breached the DPA, financial penalties remain the best way to deter organisations.

"These [custodial] provisions are about the individual who knowingly gets access to information they're not entitled to. The more general failure of organisations to meet their security requirements are best dealt with via monetary penalties.

"A criminal prosecution against an individual doesn't carry the same stigma for an organisation as a large fine."

Under the terms of the Criminal Justice and Immigration Act of 2008, the ICO is allowed to fine organisations up to £500,000 where it deems that a breach of the DPA is sufficiently severe.

The Select Committee's report has also been welcomed by industry.

Nick Lowe, vice president of sales EMEA at privileged identity management firm Cyber-Ark, said that the misuse of personal information is widespread.

"I don't think anyone would disagree with the Justice Select Committee that there must be tougher personal data abuse laws.

"The misuse of privileged access to sensitive information is undeniably widespread and, with reports revealing that even bodies such as the police force have misused their powers, it is completely justifiable for there to be concern about the way that such issues are dealt with in the eyes of the law."

In a statement on the ICO web site, Information Commissioner Christopher Graham welcomed the support of the Select Committe, but warned that the proposals should be enacted quickly rather than be bogged down by political process.

"The government should lose no more time in bringing in appropriate deterrent sentences to combat the unlawful trade in personal data.

"We need action, not more words. Citizens are being denied the protection they are entitled to expect from the Data Protection Act."