For many businesses today, information is their most valuable asset. The stated purpose of the Data Protection Act 1998 ("DPA") is to ensure that organisations, business and the government keep personal data secure and process it fairly and lawfully. It is perhaps not surprising, therefore, that organisations tend to view the DPA as legislation with which they must comply or face the consequences. It can, however, be a useful weapon in an organisation's armoury against bad employees.
The recent case of Mark Lloyd, summarised below, is a helpful reminder that under s55 of the DPA, a person commits an offence if they knowingly or recklessly, without the consent of the data controller, either (i) obtain or disclose personal data or the information contained in personal data, or (ii) procure the disclosure to another person of the information contained in personal data.
Mark Lloyd was a former employee of Acorn Waste Management Limited ("Acorn"). When Mr Lloyd left Acorn, he sent information relating to 957 of its clients to his personal email account to use in his new job with one of Acorn's competitors. The information contained the personal data of Acorn's clients, such as their contact details and purchasing history.
Acorn reported Mr Lloyd to the Information Commissioner's Office (ICO), which prosecuted him under s.55 of the DPA. The Magistrates' court convicted him and fined him £300. He was also ordered to pay a victim surcharge of £30 and Acorn's costs of £405.98.
In 2014/15 alone, the ICO prosecuted 13 s.55 cases and secured 10 criminal convictions; the previous year, it reported 12 criminal convictions pursuant to s.55. The subject matter of the cases covers a broad scope. By way of example:
- In November 2014, a pharmacist was prosecuted and fined £1,000 for unlawfully accessing the medical records of family members, work colleagues and local health professionals;
- In March 2013 a former manager of a health service was fined £3,000 for obtaining the sensitive medical information relating to over 2,000 people to use for his new business;
- In March 2013, a former receptionist at a GP surgery was fined £750 (and ordered to pay the victim a surcharge and costs) for unlawfully obtaining sensitive personal information relating to her ex-husband's new wife; and
- In December 2012, a Barclays bank employee was fined £5,000 for accessing the bank statements of her partner's ex-wife.
Section 55 of the DPA – the offence and its limitations
As noted above, under s.55 of the DPA, a person commits an offence if they knowingly or recklessly, without the consent of the data controller, either (i) obtain or disclose personal data or the information contained in personal data, or (ii) procure the disclosure to another person of the information contained in personal data. A person convicted of an offence under s.55 is liable to a fine in summary proceedings in either the Magistrates' Court or the Crown Court.
However, there are limitations to the ICO's ability to prosecute such offences. The ICO must first obtain the consent of the Director of Public Prosecutions before taking any steps to prosecute. Also, there is a full defence to s.55 if the person shows:
- That the obtaining, disclosing or procuring was necessary for the purpose of preventing or detecting crime, or was required or authorised by law;
- They acted in the reasonable belief that:
- They had the right in law to obtain or disclose the data/information or, as the case may be, to procure the disclosure of the information to the other person; or
- They would have had the consent of the data controller if the data controller had known of the obtaining, disclosing or procuring and the circumstances of it, or
- That in the particular circumstances the obtaining, disclosing or procuring was justified as being in the public interest.
Since 12 March 2015, the cap of £5,000 which Magistrates' courts could fine s.55 offenders has been lifted, though historically, fines have rarely reached £5,000, even in the Crown Court, where no such cap applied.
It has therefore been argued that there is no adequate deterrent to the DPA's sole criminal offence, as offenders may take the view that the commercial value of the stolen data may exceed that of any fine imposed. For example, in R v Nagra (2016), Ms Nagra had sold 28,000 customer records which she had obtained whilst working at a car rental company for £5,000, but was only fined £1,000.
The ICO and various pressure groups have long called for custodial penalties to be introduced for breaches of s.55. Although the Criminal Justice and Immigration Act 2008 introduced a power to amend s.55 to include a custodial sentence, that provision has still not been implemented. Christopher Graham, who stepped down recently after seven years as Information Commissioner, commented earlier this year that:
"The fines that courts are issuing at the moment just don't do enough to discourage would-be data thieves...we'd like to see the courts given more options: suspended sentences…and even prison in the most serious cases. With so much concern about the security of the data, it is more important than ever that the courts have at their disposal more effective deterrent penalties than just fines. People who break the criminal law by trading in other people's personal information need to know that they will be severally punished and could even go to prison."
Tactical advantages of s.55 DPA
Despite the argument that s.55 lacks teeth, that does not mean that it is an entirely blunt instrument. There are tactical advantages to deploying s.55 in data breach scenarios:
- s.55 is drafted more widely than other criminal offences relevant to data breach scenarios, for example:
- The Computer Misuse Act 1990 requires "unauthorised access" to a device. That may not be applicable when the data has been appropriated by an employee who was authorised to utilise the device from which the data was taken.
- The Regulation of Investigatory Powers Act 2000 ("RIPA") makes it an offence to "intentionally and without lawful authority intercept any communication". However again, particularly in an employment context, no 'interception' per se may have occurred.
- By contrast, the offence pursuant to s.55 is for simply "obtaining" the data without the data controller's consent – no unauthorised access, interception or even unauthorised use of that data is required.
- Reporting a case to the ICO pursuant to s.55 is likely to be of low or even no cost to an organisation and the ICO will then decide if and how to pursue the offender. The notification procedure consists of a three-page form that can be found on the ICO website here.
- Seeking relief in the civil courts, for example for damages and/or to prevent (further) misuse or disclosure of the data, on the other hand, may be more costly. But, if that is a course of action an organisation chooses to take, the criminal conviction may prove useful in those civil proceedings.
In a case of an employee or former employee taking company information which includes personal data, it is worth bearing in mind that s.55 can be a powerful tactical weapon for organisations. Although the fines have historically been at the low end, a criminal conviction in itself is likely to act as a powerful deterrent to most. Further, given a considerable number of large-scale, high value data breaches have occurred recently, together with increased regulation in the form of the GDPR, it may be that pressure will mount to implement custodial sentences, or that the courts will impose higher value fines in the future.