The Department of Constitutional Affairs announced last week that it will introduce jail terms for information thieves and traders, following calls from the Information Commissioner to punish privacy breaches with jail time.
But the Information Commissioner's interpretation of a previous court ruling means that the punishments will not apply to paper files. Michael Durant's was a landmark case in data protection, and part of that case involved paper-based, manual records systems.
"Following the Durant case the Information Commissioner said that most manual filing systems will not be covered by the Act," said Dr Chris Pounder, a privacy specialist at Pinsent Masons, the law firm behind OUT-LAW.COM.
"Manual records are not covered by section 55 DPA unless they are held in relevant filing systems," said a DCA spokeswoman. "Consequently, the new penalties will not apply to public authority manual files, but it should be noted that neither do the existing penalties."
The exclusion of most manual records systems was designed to alleviate the burden of cross referencing files in manual systems not designed for that purpose. Though it is easy to run a search for a person's name across a whole electronic database, it is much more difficult to find a reference to a person in an otherwise unrelated file without sophisticated cross referencing systems. Those sophisticated systems, known as relevant filing systems, are not exempt from the offences.
"If private data was taken from normal files this new offence wouldn't apply," said Pounder. This means that someone stealing or selling information from such systems would not be sent to jail under the just-announced rules.
"Some manual files are still protected, such as health, social work, housing and education records. Any other personal file, such as personnel records, are not," said Pounder.
The plans to jail offenders were announced last week by the DCA as amendments to the Data Protection Act (DPA). There is currently no jail term for the offences.
"People have a right to have their privacy protected from those who would deliberately misuse it and I believe the introduction of custodial penalties will be an effective deterrent to those who seek to procure or wilfully abuse personal data," said Lord Falconer, Secretary of State for Constitutional Affairs.
The penalties relate to an offence created by Section 55 of the DPA, which makes it an offence to sell or offer to sell personal data which has been obtained without the consent of the data controller.
"More than 300 journalists are implicated in this illegal activity," a spokesman for the Information Commissioner's Office (ICO) previously told OUT-LAW. "We have given them a clear warning that we will not hesitate to take action if they are suspected in future of committing offences."
"Information obtained improperly, very often by means of deception, can cause significant harm and distress to individuals," he said.
Earlier this year News of the World journalist Clive Goodman was jailed for intercepting mobile phone messages belonging to staff of the Royal Family. Goodman was jailed under the Regulation of Investigatory Powers Act (RIPA) in connection with the telephone interception, rather than the DPA, but Information Commissioner Thomas has said that he wants any dealing in information to be punishable by a jail sentence.
The ICO's report, What Price Privacy Now?, revealed that most major newspapers had engaged in the buying of information from one raided investigations agency. The ICO published the names of the newspapers involved, and the list included broadsheet titles such as The Observer and The Sunday Times as well as red top tabloids.
Falconer said that the new penalties were vital because data sharing is a major Government policy and people must feel that their information is well protected.
"Greater data sharing within the public sector has the potential to be hugely beneficial to the public and is wholly compatible with proper respect for individuals' privacy," said Falconer. "One of the essential ways of maintaining that compatibility is to ensure the security and integrity of personal data once it has been shared."
The changes come following a consultation launched in July last year. That consultation proposed the two year jail sentences and closed last October. At the time, Falconer said that the jail term would not apply to Government staff who make honest errors. He said the changes will not result in penalties for front-line public sector staff who, while sharing data for legitimate reasons, make an error of judgement.
Footnote: Dr Chris Pounder was a consultant with Pinsent Masons until September 2008. He now runs a new training business, Amberhawk.