The Department of Constitutional Affairs
announced last week that it will introduce jail terms for
information thieves and traders, following calls from the
Information Commissioner to punish privacy breaches with jail
time.
But the Information Commissioner's
interpretation of a previous court ruling means that the
punishments will not apply to paper files. Michael Durant's was a
landmark case in data protection, and part of that case involved
paper-based, manual records systems.
"Following the Durant case the Information
Commissioner said that most manual filing systems will not be
covered by the Act," said Dr Chris Pounder, a privacy specialist at
Pinsent Masons, the law firm behind OUT-LAW.COM.
"Manual records are not covered by section 55
DPA unless they are
held in relevant filing systems," said a DCA spokeswoman.
"Consequently, the new penalties will not apply to public authority
manual files, but it should be noted that neither do the existing
penalties."
The exclusion of most manual records systems
was designed to alleviate the burden of cross referencing files in
manual systems not designed for that purpose. Though it is easy to
run a search for a person's name across a whole electronic
database, it is much more difficult to find a reference to a person
in an otherwise unrelated file without sophisticated cross
referencing systems. Those sophisticated systems, known as relevant
filing systems, are not exempt from the offences.
"If private data was taken from normal files
this new offence wouldn't apply," said Pounder. This means that
someone stealing or selling information from such systems would not
be sent to jail under the just-announced rules.
"Some manual files are still protected, such
as health, social work, housing and education records. Any other
personal file, such as personnel records, are not," said
Pounder.
The plans to jail offenders were announced
last week by the DCA as amendments to the Data Protection Act
(DPA). There is currently no jail term for the offences.
"People have a right to have their privacy
protected from those who would deliberately misuse it and I believe
the introduction of custodial penalties will be an effective
deterrent to those who seek to procure or wilfully abuse personal
data," said Lord Falconer, Secretary of State for Constitutional
Affairs.
The penalties relate to an offence created by
Section 55 of the DPA, which makes it an offence to sell or offer
to sell personal data which has been obtained without the consent
of the data controller.
"More than 300 journalists are implicated in
this illegal activity," a spokesman for the Information
Commissioner's Office (ICO) previously told OUT-LAW. "We have given
them a clear warning that we will not hesitate to take action if
they are suspected in future of committing offences."
"Information obtained improperly, very often
by means of deception, can cause significant harm and distress to
individuals," he said.
Earlier this year News of the World journalist
Clive Goodman was jailed for intercepting mobile phone messages
belonging to staff of the Royal Family. Goodman was jailed under
the Regulation of Investigatory Powers Act (RIPA) in connection
with the telephone interception, rather than the DPA, but
Information Commissioner Thomas has said that he wants any dealing
in information to be punishable by a jail sentence.
The ICO's report, What Price Privacy
Now?, revealed that most major newspapers had engaged in the
buying of information from one raided investigations agency. The
ICO published the names of the newspapers involved, and the list
included broadsheet titles such as The Observer and The Sunday
Times as well as red top tabloids.
Falconer said that the new penalties were
vital because data sharing is a major Government policy and people
must feel that their information is well protected.
"Greater data sharing within the public sector
has the potential to be hugely beneficial to the public and is
wholly compatible with proper respect for individuals' privacy,"
said Falconer. "One of the essential ways of maintaining that
compatibility is to ensure the security and integrity of personal
data once it has been shared."
The changes come following a consultation
launched in July last year. That consultation proposed the two year
jail sentences and closed last October. At the time, Falconer said
that the jail term would not apply to Government staff who make
honest errors. He said the changes will not result in penalties for
front-line public sector staff who, while sharing data for
legitimate reasons, make an error of judgement.
