Cookies on Pinsent Masons website

This website uses cookies to allow us to see how the site is used. The cookies cannot identify you. If you continue to use this site we will assume that you are happy with this

If you want to use the sites without cookies or would like to know more, you can do that here.

Jail sentence penalties for data breaches will be consulted on despite Government's scepticism

The Government has reiterated its commitment to consult on introducing custodial sentences as a possible penalty for individuals who breach UK data protection laws.11 Oct 2013

In a letter (46-page / 238KB PDF) to the chairman of Parliament's Home Affairs Committee Keith Vaz, Justice Secretary Chris Grayling said that the public would be asked whether there should be new custodial penalties for breaches of Section 55 of the Data Protection Act (DPA).

Section 55 of the Data Protection Act (DPA) states that it is generally unlawful for a person to "knowingly or recklessly without the consent of the data controller obtain or disclose personal data or the information contained in personal data, or procure the disclosure to another person of the information contained in personal data" without the consent of those who control the data.

The current penalty for committing a section 55 offence is a maximum £5,000 fine if the case is heard in a Magistrates Court and an unlimited fine for cases tried in a Crown Court.

Under the Criminal Justice and Immigration Act (CJIA) the Justice Secretary has the power to introduce new regulations that would allow a custodial sentence penalty to be available for the offences under Section 55 of the DPA, but those powers have yet to be used. In 2008 the Act came into force without those powers being immediately available.

"[In his report into the culture, practices and ethics of the press] Lord Justice Leveson made a range of data protection related proposals which are potentially far reaching in their nature, including that the Government introduce the possibility of custodial penalties for section 55 offences," Grayling said. "These recommendations could in particular have an impact on the conduct of responsible investigative journalism. The issues raised in the data protection elements of Lord Justice Leveson's report were not subject to the same level of public scrutiny as other elements of the inquiry."

"It is the Government's view that the recommendations require careful consideration by a wide audience. We therefore intend to conduct a public consultation on the full range of data protection proposals, including on whether to introducing custodial sentences under section 77 of the CJIA. Consultation on the latter is a statutory requirement. This will enable us to seek views on their impact and how they might be approached. We think it is important that the public get the opportunity to consider the question of whether to introduce custodial penalties for breaches of section 55 in the context of Lord Justice Leveson's wider proposals relating to the data protection framework," he added.

The Government has previously expressed scepticism about whether there is a need for the CJIA provisions to be brought into force.

"The Government believes that misuse of personal data should be taken very seriously, however, it is important to note that there are already a range of existing offences that cover the misuse of personal data," the Government said in a report published in June. "These include fraud by false representation in breach of the Fraud Act 2006 and bribing another or being bribed contrary to the Bribery Act 2010. The offence of unlawful interception of communications under Regulation of Investigatory Powers Act 2000 and unauthorised access to computer material under the Computer Misuse Act 1990, both carry a maximum two year prison sentence."

Data protection law expert Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, previously said that it is "perverse that organisations and individuals guilty of accidental breaches of personal data can be issued with monetary penalty notices of up to £500,000 for those breaches, but organisations and individuals guilty of a criminal offence of deliberately invading privacy and misleading others can escape with a relatively minor punishment".

Marc Dautlich of Pinsent Masons has also previously backed calls, led by the Information Commissioner, for the CJIA provisions to be introduced. The data protection law specialist said that there is an "overwhelming" case to justifying the powers being brought in.

Expertise in Confidential Information

Ideas, techniques and know-how can lie at the heart of a business. Pinsent Masons' international intellectual property team is dedicated to helping you to protect those intangible valuables that help you to stand out from your competitors.

More about Confidential Information