Unlawful Obtaining of Personal Information.

This is the third of three reports reviewing the ICO regulatory activity for 2017. This final report looks at prosecutions for the criminal offence of unlawfully obtaining personal information.

Section 55 of the DPA 1998 creates two offences:

A person must not knowingly or recklessly, without the consent of the data controller:

  1. obtain or disclose personal data or the information contained in personal data; or
  2. procure the disclosure to another person of the information contained in personal data.

The offence is committed when someone without authority accesses personal information or procures the disclosure of personal information.

Neither Section 55(1) nor (2) are “strict liability” offences. In other words an offender must show an intent to commit the offence either by acting ‘knowingly’ or ‘recklessly.’

An individual acts recklessly when he is aware that a risk exists or will exist and that it is unreasonable to take the risk.

During 2017 the ICO prosecuted 15 persons for unlawfully obtaining personal information. There were eight prosecutions of NHS Trust staff who had unlawfully accessed the personal information of friends and colleagues. A further four individuals were prosecuted for forwarding personal information to their personal email address to use to start up a new business. Two individuals were prosecuted for using social engineering methods to unlawfully obtain personal information and one individual was prosecuted for forwarding personal information to a third party.

It is clear that the ICO will prosecute in most cases where there is an allegation of the unlawful obtaining of personal information.

Organisations and individuals should be aware that obtaining has been held to include looking at personal information. Those who access personal information without the consent of the data controller commit the offence whether or not they make any attempt to remove, download or upload the information.

It is sensible for organisations to warn employees of the risks that are associated with accessing personal information without authority. It is also sensible for organisations to restrict access to personal information especially sensitive personal information ( or the new GDPR definition – special categories). This restriction should be in the form of a policy which should form part of the organisation’s data protection training.

Some organisations go further and warn employees that if they access personal information without authority it will be considered gross misconduct and the facts will be reported to the ICO. In such cases this could lead not only to dismissal but also to a criminal record.

The section 55 offence is triable either way – meaning that it can be tried either in the Magistrates’ Courts or the Crown Court. The maximum sentence is an unlimited fine.

Organisations should also be aware that the Information Commissioners Office has long called for the introduction of custodial sentences for breaches of section 55 of the DPA 1998. The ICO argues that the court’s powers are an insufficient deterrent.

The two previous Information Commissioners, Richard Thomas and Christopher Graham both appealed to the government to increase the penalty for Section 55 to one of imprisonment.

Richard Thomas in his report to Parliament ‘What Price Privacy’ said:

The fact that prison is not currently an option for persons convicted of Section 55 offences belittles the offence and masks its true seriousness, even to the judiciary. The threat of imprisonment would also, in their view, act as a suitable deterrent (2006).

Christopher Graham made a similar call following the conviction of an employee of a car rental company who sold almost 28,000 customer records for £5000. The individual concerned was an administrative assistant at a car rental company, and was responsible for processing customer details sent to the car rental company by an insurance company. The details, typically of people who had been involved in road traffic collisions, included details of the policyholder as well as details of their insurance claim. On conviction she was fined £1000 and was ordered to pay £100 victim surcharge and £864 prosecution costs.

Christopher Graham said:

With so much concern about the security of data, it is more important than ever that the courts have at their disposal more effective deterrent penalties than just fines. People who break the criminal law by trading in other people’s personal information need to know that they will be severely punished and could even go to prison.

In November 2017, Mike Shaw Head of Criminal Investigations at the ICO said:

At the moment, s55 offences can only be punished with a fine – the eight convictions this year attracted fines and costs totalling more than £8,000 – but in the future, we would like to see custodial sentences introduced as a sentencing option for the courts in the most serious cases.

Others have recommended that the court be afforded greater sentencing powers for breaches of section 55. For example, in November 2012, Sir Brian Leveson published his report into the culture, practices and ethics of the UK press in which he argued that the power to include custodial sentences should be exercised.

This was a reference to The Criminal Justice and Immigration Act 2008 (the 2008 Act) which introduced a power to amend section 55 to include custodial sentences. The Home Secretary can, after consultation, issue secondary legislation under the 2008 Act to introduce custodial sentences of up to 12 months on summary conviction, and up to two years of imprisonment for a conviction on indictment for those involved in the illegal trade of personal information (see section 77 of the 2008 Act). This provision is not yet in effect.

It is possible that the Section 55 offence may become an offence punishable by imprisonment in the future.

Organisations should also be aware that there is a relationship between the Section 55 offence and the 7th data protection principle. The 7th principle is also called the security principle:

Appropriate technical and organisational measures shall be taken against unathorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

If personal information is unlawfully obtained contrary to Section 55 this will be considered a data security breach by the ICO and dependent upon the circumstances they may form the view that poor data security was a factor. This could lead to regulatory action for a breach of the 7th principle.

Organisations should have clear policies and procedures in relation to unlawful obtaining and should consider restricting access to records containing sensitive personal information. An awareness of Section 55 should be part of an organisations data protection staff training.

The offence of unlawful obtaining is contained within the Data Protection Bill.