The ‘Call for Action’ from the Information Commissioner’s Office – tabled at a Justice Select Committee meeting – comes as a bank cashier last week pleaded guilty to using her position to illegally access the personal details of a sex attack victim.
The cashier’s husband had been convicted of carrying out the attack and was serving time in jail.
Sarah Langridge – a former employee of Barclays Bank – claimed she accessed the victim’s accounts and banking records to try to build a picture of the woman who had accused her husband.
As a result, Langridge was fined GB pound 800, ordered to pay GB pound 400 costs and a GB pound 15 victims’ surcharge in a hearing at Brighton Magistrates Court.
Risks to privacy greater, need for security greater still
“It beggars belief that, in an age where our personal information is being stored and accessed by more organisations than ever before, the penalties for seriously abusing the system still do not include the possibility of a prison sentence even in the most serious cases,” said Christopher Graham.
“Access to online records is now part and parcel of almost every transaction the citizen makes with Government agencies, local Government, the NHS, the DVLA, High Street banks, insurers and social networks. This only makes the risks to privacy greater and the need for security greater still.”
The Information Commissioner added: “The details of this case are truly shocking. The victim had a harrowing enough experience at the hands of her attacker. The revelation that her attacker’s wife was then rooting through all her personal details, for whatever purpose, would have caused even further distress.”
He continued: “I note the outcome of this latest case, and I remain concerned that the courts are not able to impose the punishment to fit the crime in all cases because the current penalty for this all-too-common offence is limited to a fine rather than the full range of possible sentences, including prison for the most serious cases.”
Christopher Graham used his appearance before the Justice Committee today to call for custodial sentences to be made available to the courts as a more effective deterrent to the unlawful trade in – and access to – personal information.
“There has been a lot of coverage in the media about the Section 55 offence in relation to the Data Protection Act,” he stated, “or ‘blagging’ personal information as it is known. This offence is not just focused on private investigators finding out about celebrities’ hospital appointments. This crime has the potential to devastate the lives of ordinary citizens.”
As far as Graham is concerned, the “existing paltry fines” are not enough to deter. “The Government must show they take this problem seriously by commencing the legislation Parliament put in place in 2008. If the courts were able to impose the full range of sentences from fines to jail terms, including other sanctions such as community service where appropriate, we would at last have an effective deterrent to stop people engaging in this criminal activity.”
Graham suggested that blagging isn’t hacking, but that the issue has been caught up in the controversy over press behaviour.
“Unfounded concerns about press freedom were a distraction in 2008,” he explained, “and they should never have halted the introduction of stronger sanctions. They should not delay any further the commencement of the powers needed to combat this modern scourge.”
Specifics of the Langridge case
Section 55 of the Data Protection Act makes it an offence to ‘knowingly or recklessly, without the consent of the data controller, obtain or disclose personal data’. The current penalty for committing the offence is a maximum GB pound 5,000 fine if the case is heard in a Magistrates Court, and an unlimited fine in a Crown Court.
In this latest case, Mrs Langridge’s offences were uncovered following a court hearing concerning her husband’s sentence for committing a serious sexual offence.
His victim recognised Mrs Langridge in court as working at the local bank branch she used. Concerned that her account had been unlawfully accessed, the victim contacted Barclays Bank and the police. The bank’s enquiries found that Mrs Langridge had regularly accessed the victim’s records on eight separate dates over a period of eight months (the period during which her husband’s court case was ongoing).
Mrs Langridge viewed the victim’s account records including her personal details, current account entries, lending records and employer details.
During an interview under caution, the defendant claimed that she had not made a record of any of the information she viewed and had not disclosed it to her husband or any other third party.
Successful prosecutions of Section 55 offences
Other Section 55 offences where the Information Commissioner’s Office has successfully brought prosecutions include:
In June this year, a personal injury claims company employee was prosecuted for illegally obtaining NHS patients’ information over a four-month period. Martin Campbell, a former employee of the Bury-based personal injuries company Direct Assist, obtained the information from his former girlfriend who worked at an NHS walk-in centre. He then used it to generate leads for personal injury claims. He was fined GB pound 1,050 and made to pay GB pound 1,160 towards costs.
Also in June 2011, two former employees of UK mobile operator T-Mobile were found guilty of illegally stealing and selling select customer data from the company in 2008.
David Turley and Darren Hames were given conditional discharges – one of the lightest sentences possible – but were made to pay a total of GB pound 73,700 in confiscation costs under the Proceeds of Crime Act. This was to recover some of the money the pair made from selling the information.
Sentencing the pair, the judge (His Honour Judge Woodward) noted that the sentencing powers of the court were limited and that, taking into account the defendants’ ability to pay, ‘any further financial penalty… would not reflect either of your true culpability.’
Two former members of the BNP posted the party membership list on the Internet in November 2008. When the case was brought to court by Dyfed Powys Police, the District Judge at Nottingham Magistrates Court said: “It came as a surprise to me, as it will to many members of the party, that to do something as foolish and criminally dangerous as you did will only incur a financial penalty.” One man was fined GB pound 200.
In June 2008, private investigators Christopher Hackett and Darren Whalley pleaded guilty to blagging personal information from BT for a client who was trying to trace her partner. Christopher Hackett was able to blag the information by pretending to be a BT employee. They were fined GB pound 400 and GB pound 500 respectively.
The police have also investigated a number of incidents where their own staff have unlawfully accessed people’s personal details from the Police National Computer.
In 2007, a 79-year-old man died shortly after a brick was thrown through his lounge window. The man had been involved in a dispute with a woman over a parking space. The woman’s husband subsequently asked a serving police officer to identify the pensioner’s address. He and his brother then went to the pensioner’s house. They were both convicted of manslaughter and the police officer was fined GB pound 1,200 and resigned from the force.
In 2005, a private investigator working for Pearmac Limited was fined GB pound 6,250 after trying to obtain a rape victim’s address from her GP and utility company. The rape victim believed that the attempts to obtain her details could be part of an act of revenge directed at her for reporting and giving evidence against her attacker.
‘Overhelming support’ over case for custodial sentences
The case for making available custodial sentences as the penalty for Section 55 offences was overwhelmingly supported by respondents to a Government consultation “increasing penalties for wilful misuse of personal information” in 2006.
Indeed, the Government itself recognised the case was overwhelming at the time, and gave a commitment for introducing custodial sentences.
This provision was introduced to Parliament during the passage of the Criminal Justice and Immigration Act 2008, but was amended at the report stage in the House of Lords to provide the power to the Secretary of State to introduce the custodial sentence by statutory instrument.
Section 77 (the custodial penalty) is accompanied by an enhanced ‘reasonable belief’ defence for the Special Purposes (Section 78). Both sections remain to be commenced.
The ICO continues to see a rise in reported allegations of Section 55 offences. Numbers reported during 2010-2011 are up 18% against figures reported in the period 2008-2009.
