Under the Data Protection Act 1998 (“DPA”), it is an offense to knowingly or recklessly obtain or disclose personal data, or the information contained in personal data, without the consent of the data controller. Section 55 of the DPA details the offenses and any exclusions, or defenses, which may apply. It also sets out the procedure for monetary penalties to be imposed. Under the current law, the maximum penalty for those found guilty of offenses such as selling personal data is a £5,000 fine in the Magistrates Court and an unlimited fine in the Crown Court. However, cases leading to substantial fines are rare.
The Ministry of Justice (which oversees the Information Commissioner’s Office) has recently announced a consultation exercise to decide whether to introduce tougher penalties for breaches of section 55, DPA, which could lead to the introduction of custodial sentences for those convicted. Although provision was made to introduce prison sentences through the Criminal Justice and Immigration Act 2008, this has yet to be implemented and is subject to the consultation exercise, which is expected to close on 7 January 2010.
If adopted as law, the maximum penalty for the knowing or reckless misuse of personal data would be a prison sentence of up to 12 months (if heard in the Magistrates Court) or up to 2 years (if heard in the Crown Court). This is an important development for the ICO, which has fairly limited powers of enforcement, and is arguably a necessary response to the increasingly serious breaches of the DPA involving the misuse of personal data.