CRIMINAL PROCEEDINGS
In theory any breach of the data protection principles can result in criminal proceedings against the data controller, because of the provisions of section 47 of the DPA, which says that a person who fails to comply with an enforcement notice, an information notice or a special information notice is guilty of an offence. However, as far as these offences are concerned the data controller always has a ‘second chance’, because if a notice is complied with, section 47 is not engaged.
The DPA does create a series of criminal offences that do not require the Information Commissioner to go through the notice procedure before prosecution. In these cases the Information Commissioner may commence criminal proceedings if he considers that he has sufficient evidence to prove beyond reasonable doubt that the data controller is guilty. These criminal offences are as follows:
notification offences by virtue of sections 21 and 22 of the DPA;
failure to provide information under section 24;
obstruction of inspection of overseas information systems under section 54A;
unlawful obtaining, disclosure or sale of personal data under section 55;
enforced subject access under section 56;
Information Commissioner offences under section 59;
Information Tribunal contempt offences under Schedule 6, paragraph 8;
Obstruction of warrant offences under Schedule 9.
Who can be prosecuted?
Under this series of offences a variety of people can be prosecuted. Under sections 21 and 22 of the DPA only a data controller can be prosecuted, because it is only a data controller who has the obligation to notify. Conversely, under sections 54A, 55 and 56 of the DPA and under Schedule 6 and Schedule 9 any person can be prosecuted, meaning that the offences are not limited to data controllers. The offences under section 59 can only be committed by the Information Commissioner, or by a past or current member of staff or agent of the Information Commissioner.
Criminal liability of directors etc.
Section 61 contains a very important provision for corporate bodies, as it makes directors, managers, secretaries and similar officers personally liable for criminal offences committed by their organizations where they have consented to the offence or connived in it or if the offence was committed due to their negligence. This means that the DPA pierces the corporate veil.
Who can bring a prosecution?
The Information Commissioner is the primary prosecuting authority, but criminal proceedings can also be commenced by the Director of Public Prosecutions and by any other person with the consent of the Director. In Northern Ireland the additional prosecuting authority is the Director of Public Prosecutions for Northern Ireland.
Penalties
Offences under section 54A and Schedule 9, paragraph 12 can only be tried in the Magistrates’ Court. All of the other offences, including notice offences, can be tried in either the Magistrates’ Court or in the Crown Court, depending upon seriousness. The maximum fine in the Magistrates’ Court is currently £5,000, but in the Crown Court fines are unlimited. At the date of publication of this book the Department of Constitutional Affairs is conducting a public consultation on proposals made by the Information Commissioner for the introduction of custodial sentences of up to two years imprisonment for breaches of section 55 of the DPA.
Notification offences
Section 21(1) of the DPA makes it an offence for a person to process personal data without having first notified in accordance with section 17(1). This is a strict liability offence, meaning that if a data controller fails to notify when required to do so, it will be convicted. There is no due diligence defence.
Section 21(2) makes it an offence to fail to notify changes to processing, in breach of section 20. The combined effect of section 20 and the Data Protection (Notification and Notification Fees) Regulations 2000175 is to make it a requirement to keep notifications accurate and up to date, or as section 20(2) prefers, ‘current’. Thus, the data controller is required to notify the Information Commissioner of any respect in which an entry on the register of notifications becomes inaccurate or incomplete. The notification of the inaccuracy must be given as soon as possible and not later than 28 days after the date when the entry on the register became inaccurate or incomplete. Unlike the offence in section 21(1) there is a due diligence defence for offences under section 21(2). Section 21(3) says that ‘it shall be a defence for a person charged with an offence under [section 21(2)] to show that he exercised all due diligence to comply with the duty’.
Section 22(6) of the DPA will make it a criminal offence to carry out ‘assessable processing’ in breach of section 22(5). Section 22 of the DPA describes assessable processing as ‘processing which is of a description specified in an order made by the Secretary of State as appearing to him to be particularly likely to cause substantial damage or substantial distress to data subjects, or otherwise significantly to prejudice the rights and freedoms of data subjects’. At the date of publication of this book the Secretary of State has not made any orders under section 22.
Failure to provide information
Section 24(4) of the DPA makes it an offence for a data controller who has not notified to fail to comply with a request for ‘the relevant particulars’. Relevant particulars form the bulk of the information that a data controller would supply as registrable particulars when notifying for the purposes of section 17 of the DPA. Section 24(5) contains a due diligence defence saying ‘it shall be a defence for a person charged with an offence under [section 24(4)] to show that he exercised all due diligence to comply’ with a request.
Obstruction offences
Sections 54A, Schedule 6, paragraph 8 and Schedule 9, paragraph 12 all contain obstruction offences.
Section 54A was inserted into the DPA by section 81 of the Crime (International Co-operation) Act 2003 and it gives the Information Commissioner a right of inspection over any personal data recorded in the Schengen information system, the Europol information system and the Customs information system. These multi-jurisdictional information systems are the products of international governmental agreements. They are particularly sensitive because they are concerned with transborder data flows of information required for law enforcement purposes, with obvious consequences for personal privacy. Section 54A(6) makes it an offence for any person to intentionally obstruct the Information Commissioner or to fail without reasonable excuse to give reasonable assistance during an inspection.
Schedule 6 is concerned with appeals from notices heard by the Information Tribunal. Paragraph 8 creates an offence of contempt of the Information Tribunal, replicating the offence of contempt of court. If the Tribunal finds that a person is in contempt it may ‘certify the offence’ to the High Court, or the Court of Session in Scotland. Certification then places the High Court, or the Court of Session, in control of the contempt proceedings.
The offence in Schedule 9, paragraph 12 is the offence of obstructing a warrant. To recap, it is an offence for any person to intentionally obstruct the execution of a warrant or to fail without reasonable excuse to give the person executing the warrant such assistance as they may reasonably require.
Unlawful obtaining, disclosure and sale of personal data
There have been more successful prosecutions under section 55 of the DPA than under all the other sections combined, although it has to be added that the overall number of successful prosecutions is low.
A frequently occurring theme within section 55 prosecutions is the ‘blagging’ of personal data by private detectives, often in the course of the tracing debtors or investigating claimants in insurance claims. While not a term of art, ‘blagging’ is commonly recognized as being the underhand obtaining of personal data, often from public authorities, by private detectives who conceal or misrepresent their true identity or their purpose. In almost every case the blagging is done by telephone. This kind of activity is prosecuted with vigour by the Information Commissioner because it encapsulates every kind of serious contravention of the DPA.
Section 55 offences are not limited to the blagging of personal data by private detectives operating at the outer parameters of lawfulness. Preventing unlawful access to personal data is a logistical problem for most businesses and this includes data misuse by employees who may be tempted to offer their employer’s data to criminals, or to use it for their own interests or for the interests of their acquaintances. Newspaper reports draw attention to these problems from time to time and among other things they have highlighted the problem of workers at an Indian call centre offering a journalist access to information relating to customers of UK banks and police officers misusing the Police National Computer.
Unlawful obtaining and disclosure of personal data
Section 55 creates four offences. These are:
Obtaining or disclosing of personal data: A person is guilty of an offence if they knowingly or recklessly obtain or disclose personal data, or the information contained in personal data, without the consent of the data controller (section 55(1)(a)).
Procuring a disclosure of personal data: A person is guilty of an offence if they knowingly or recklessly procure the disclosure to another person of the information contained in personal data, without the consent of the data controller (section 55(1)(b)).
Sale of personal data: A person is guilty of an offence if they sell personal data that they have obtained in contravention of sections 55(1)(a)&(b) (section 55(4)).
Offering to sell personal data: A person is guilty of an offence if they offer to sell personal data that they have obtained in contravention of sections 55(1)(a)&(b) (section 55(5)).
All of the offences focus on two forms of processing, which are obtaining and disclosing. The essence of each offence is basically the same: a person has knowingly, or recklessly, obtained or disclosed personal data without the data controller’s consent. This breaks down into three elements:
Has personal data been obtained or disclosed?
If so, was the processing done with the data controller’s consent?
If so, was the processing done knowingly or was it the result of recklessness?
Has personal data been obtained or disclosed?
The obtaining of personal data is directly relevant to offences under section 55(1)(a) (obtaining or disclosing personal data), section 55(4) (sale of personal data) and section 55(4) (offering to sell personal data). The question whether personal data has been obtained involves two separate issues of fact. The first is whether the data are personal data, presumably in the sense described by the Court of Appeal in Durant v. Financial Services Authority.176 The second issue is whether personal data have been obtained by the defendant.
As the Information Commissioner is the primary prosecuting authority for the purposes of section 55, it follows that the Commissioner carries the burden of proving that personal data have been obtained by the defendant. If the Information Commissioner cannot prove these facts, the defendant must be acquitted. The standard of proof is beyond reasonable doubt.
The fact of disclosure of personal data is relevant to all of the offences and, as with obtaining, the question of whether there has been a disclosure is a question of fact upon which the Information Commissioner bears the burden of proof.
Was the processing done with or without the data controller’s consent?
The significance of the focus of section 55 on the data controller’s consent should not be overlooked, because it shows that the DPA treats more seriously the unlawful obtaining of data from data controllers rather than from data subjects. Thus, a determined person can ‘blag’ personal information from the data subject without fear of prosecution (although a notice offence could ultimately be committed).
Consent is not defined in the DPA, but the Data Protection Directive gives assistance with the meaning of ‘data subject’s consent’, which it defines as ‘any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed’. There is no reason to think that a similar formulation cannot be applied for the meaning of the data controller’s consent.
In many cases the defendant may argue that consent was obtained, in the sense that they spoke to the data controller and asked for the personal information that is at the centre of the prosecution. If in such a case the defendant disguised their true identity, a ‘blag’ in every sense of the word, the data controller’s consent will be negated because the data controller was duped.
Was the processing done knowingly or recklessly?
The Information Commissioner will need very good quality evidence to prove that the defendant knowingly processed the data, but very often there is an abundance of evidence left behind by the criminal, particularly as a result of ignorance about the realities surrounding the deletion of electronic files and the monitoring of communications. The Information Commissioner will need to prove that the defendant actually knew that the obtaining or disclosure had occurred and that they actually knew that this was without the data controller’s consent.
The concept of recklessness is well known to the criminal law. The classic definition was in the case of R. v. Lawrence177 where Lord Diplock said:
|
Recklessness on the part of the doer of an act presupposes that there is something in the circumstances that would have drawn the attention of an ordinary prudent individual to the possibility that his act was capable of causing the kind of serious and harmful consequences that the section that created the offence was intended to prevent, and that the risk of those harmful circumstances occurring was not so slight that an ordinary prudent individual would feel justified in treating them as negligible. It is only when this is so that the doer of the act is acting ‘recklessly’ if, before doing the act, he either fails to give any thought to the possibility of there being any such risk or, having recognised that there was such a risk, he nevertheless does on to do it. |
This definition points to the following issues:
The circumstances as a whole need to be considered.
The circumstances must cause an ordinary, prudent individual to consider that there is more than a negligible risk that the harm at the heart of the offence could be caused.
If there is more than a negligible risk of harm, the defendant will have acted recklessly if they do the act in question without giving any consideration to the possibility of there being a risk, or having appreciated the risk they continue to do the act in question.
Procuring disclosure to another person
A person is guilty of an offence under section 55(1)(b) if they knowingly or recklessly procure the disclosure to another person of the information contained in personal data without the data controller’s consent. The essence of this offence is that the defendant causes, or brings about, the disclosure of personal information to a third party.
Sale of personal data
The final offences in section 55, the sale of personal data that have been unlawfully obtained (section 55(4)) and offering to sell personal data that have been unlawfully obtained (section 55(5)) are prohibitions against commercial dealing and will have particular resonance in industries where a person is paid for providing information, such as in the private detective industry. The meaning of offering to sell is assisted by section 55(6), which says that ‘an advertisement indicating that personal data are or may be for sale is an offer to sell the data’. Of course, a person guilty of an offence under sections 55(4) and 55(5) will also be guilty of unlawfully obtaining data under section 55(1)(a) and, depending on the facts, unlawfully disclosing under section 55(1)(b) or procurement of a disclosure under section 55(1)(b).
Exemptions
By reason of section 55(8), the offences do not apply where personal data are processed for national security purposes (section 28(1)(c)) or where the personal data consist of manual data recorded by public authorities (section 33A(1)(f)). This second exemption is of particular importance in ‘blagging’ cases, as public sector data controllers are often the target of dupers. In a prosecution for unlawful obtaining or disclosure from a public authority the Information Commissioner will have to provide evidence of the processing operations at the public authority so that the court can determine whether or not an exemption applies.
Defences
Section 55(2) contains a series of defences. These are:
|
The prevention and detection of crime defence requires the processing to be necessary, meaning that the obtaining, disclosure or procurement of the data must have been essential to the processing purpose, namely the prevention or detection of crime. This defence is consistent with the crime and taxation exemption in section 29 of the DPA, which exempts most of the first data protection principle and section 7 (the right of access) if their application would be likely to prejudice the prevention or detection of crime, the apprehension or prosecution of offenders or the assessment, or collection of any tax or duty. It is also consistent with the rules in the Data Protection (Processing of Sensitive Personal Data) Order 2000,178 which allows non-consensual processing of personal data for, among other things, the prevention or detection of crime.
In many cases the law enforcement agency will take advantage of the exemption within section 29(3) of the DPA and will approach the data controller direct to obtain personal data, but there will be occasions when an open approach will be counterproductive, perhaps because the data controller is also under investigation, or for fear that an open approach might lead to a person being tipped-off, or evidence being destroyed. Thus, section 55 provides a defence for these situations.
The second defence, that the processing was required or authorized by an enactment, rule or law or order of the court does not contain a necessity element, but it will require the defendant to prove that a legal authority for his actions applied.
The third defence, that the defendant held a reasonable belief of a legal right to process the data, is subject to an objective test, namely that the defendant’s belief will not be regarded as being reasonable if it is objectively unreasonable. The same point is made with the fourth defence.
The final defence is a public interest defence. This defence could well apply where the defendant is revealing an illegal act and there were no other routes open to obtaining or disclosing the personal data.
Enforced subject access
Section 56 of the DPA contains prohibitions against the compulsory production of ‘relevant records’, which include: (i) criminal records obtained by a data subject from the police; (ii) certain records from the Secretary of State; and (iii) records from the Department of Health and Social Services for Northern Ireland following a subject access request under section 7.
In summary, section 56(5) creates two offences. The first is for contravention of section 56(1). The second is for contravention of section 56(2). These are strict liability offences, meaning that intention and knowledge are irrelevant to a conviction. However, there are two defences.
Relevant records
A relevant record is a record consisting of information about a data subject obtained from one of the three data controllers identified above. In order to qualify as a relevant record, the record needs to have been obtained by the data subject using his right of access in section 7 of the DPA. By definition such information is sensitive personal data within the meaning of section 2 of the DPA.
This definition of a relevant record is very important, because the offences both concern the supply or production of relevant records by ‘another person’ or by a ‘third party’. When these concepts are merged it becomes apparent that the offences are very specialized, extending to the rare cases where a data controller participating or contemplating participating in a relationship with a second person asks a third person to supply sensitive personal data.
Types of relevant records
A table in section 56 identifies the following types of relevant records:
convictions and cautions where they are obtained from police chief officers and chief constables, from the Director General of the National Criminal Intelligence Service, from the Director General of the National Crime Squad or from the Secretary of State;
records relating to the Secretary of State’s functions concerning the detention of young persons following a conviction;
records relating to the Secretary of State’s functions relating to prisons;
records relating to the Secretary of State’s functions concerning National Insurance and state benefits;
records relating to the Secretary of State’s functions under Part V of the Police Act 1997; these concern the issuing of criminal conviction certificates and criminal records certificates.
Personal data that falls within paragraph (e) of the definition of data in section 1(1) of the DPA, that is, recorded information held by a public authority that does not fall in to any of the other categories, cannot be a relevant record for the purposes of section 56 (section 56(6A)).
A record that contains no data, sometimes called an empty record, will fall within the prohibitions due to section 56(9) of the DPA, which says that ‘a record which states that a data controller is not processing any personal data relating to a particular matter shall be taken to be a record containing information relating to that matter’.
Employment situations
Section 56(1) is concerned with employment and similar situations. It prohibits a person from requiring another person to supply or produce a relevant record in three situations:
In connection with the recruitment of another person as an employee, which means that a prospective employer is not allowed to ask a prospective employee or a third party to supply or produce a relevant record. By definition the third party cannot be a prospective employee.
In connection with the continued employment or another person, which means that an employer is not allowed to ask an employee or a third party to supply or produce a relevant record.
In connection with a contract for the provision of services, which covers situations akin to employment situations, such as where a business hires a subcontractor or temporary worker, applying where there is a contract for the provision of services by the one person to another. In these situations the recipient of the service cannot ask the service provider or a third party to supply or provide a relevant record.
Section 56(10) defines the meaning of ‘employee’. An employee is an individual who works under a contract of employment as defined by section 230(2) of the Employment Rights Act 1996 or who holds any office and it is irrelevant whether a salary is paid.
Provision of goods, facilities and services
Section 56(2) is concerned with situations where a person provides goods, facilities or services to the public or to a section of the public. It does not matter whether the goods, facilities or services are provided for payment or not, meaning that charities and public bodies are affected just as much as companies.
The prohibition in section 56(2) is against making the provision conditional upon the supply or production of a relevant record. Again, the person receiving the goods, facilities or services could be asked to supply or produce a relevant record or a third party could be asked.
Defences
There are two defences available under section 56(3). These are:
The imposition of the requirement to supply or produce a relevant record was required or authorized by or under an enactment, a rule of law or by court order.
The imposition of the requirement to supply or produce a relevant record was justified as being in the public interest.
Section 56(4) makes it clear that the public interest defence is limited in one very important respect, namely that a person is not allowed to take advantage of the public interest defence just because the supply or production of a relevant record would assist in the prevention or detection of crime. This is because Part V of the Police Act 1997 contains a legal framework for obtaining information about a person’s criminal record and convictions. Persons wishing to take advantage of the Police Act 1997 must proceed through the Criminal Records Bureau.
Information Commissioner offences
Section 59(3) of the DPA makes it an offence for any person to knowingly or recklessly disclose information in contravention of section 59(1). Section 59(1) is concerned with unlawful disclosures of certain types of information by the Information Commissioner and persons working for them. The ingredients of the offence are:
There must be disclosure of information that: (i) has been obtained by, or furnished to, the Information Commissioner under, or for the purposes of, the DPA or the Freedom of Information Act; (ii) relates to an identified or identifiable individual or business; (iii) is not at the time of the disclosure, or at any time before, available to the public from other sources.
The person making the disclosure is the Information Commissioner, a past Information Commissioner, a member of the Information Commissioner’s staff or an agent of the Information Commissioner.
The disclosure must be made without lawful authority.
The person making the disclosure must do so knowing that it is a contravention of section 59(1) or must be reckless as to whether the disclosure is in contravention of section 59(1).
Lawful authority
The absence of lawful authority for the disclosure is a vital component of the offence. Section 59(2) identifies the only circumstances in which disclosure will be with lawful authority:
|