UK data protection enforcement has definitely stepped up a gear in recent weeks.

Last week, the Government announced that it is to introduce custodial sentences of up to two years imprisonment for those found guilty of knowingly or recklessly:

  • obtaining or disclosing personal data from data controllers without their consent; or
  • selling such personal data.

Although there are various statutory defences, these can be difficult to make out. For example, it is a defence to show that the disclosure of the personal data was justified as being "in the public interest". "Public interest" is a very elusive concept but what is clear is that it is not the same as what is interesting to the public.

This initiative follows on from a very recent series of custodial sentences ranging from eight months to two and a half years for those convicted of sending bogus notices demanding money to register under the Data Protection Act 1998 last month. Although this "scam cloaked with the appearance of officialdom" was widely reported in the media, the participants managed to obtain over £600,000 from businesses before being caught.

The UK's data protection authority recently also brought its first-ever prosecution for failing to respond to a subject access request. Although a failure to comply with a subject access request is not an imprisonable offence, Liverpool City Council was fined. A former employee requested personal information held by Liverpool City Council. Believing that some health-related information was missing from the data provided by the Council, the employee filed a complaint with the authority. When the Council failed to respond to the authority's information notice, the authority commenced proceedings. The Council pleaded guilty and was fined £300. This case serves as a reminder to all organisations periodically to monitor the effectiveness of their procedures for handling subject access requests to ensure that nothing "slips through the net".

It will be interesting to see whether the UK's data protection authority will take such a hardline on enforcement with the Government's Department of Work and Pensions after a recent blunder by the Department resulted in the bank details of 26,000 pensioners being sent to the wrong addresses!

Finally, financial services companies should bear in mind that the UK's data protection authority is not the only body interested in data security breaches. Earlier this week it was reported that the Nationwide Building Society had been fined £980,000 by the Financial Services Authority for failings in its information security which came to light after a company laptop was stolen from an employee's home.

As is clear from these recent developments, it has never been more important for organisations to ensure that they are in compliance with data protection legislation.

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP. All rights reserved