InfoLaw Update - March 2013
Data Blagging and ‘Chicken Feed Fines’ Last month we reported that Sony was hit by a £250,000.00 fine due to its alleged failure to prevent a major data leak within its organisation. This month we are moving on to focus on the often tiny fines that are levied against individuals for flagrant breaches of the Data Protection Act 1998, or ‘data blagging’ as it is more commonly known.
What is ‘data blagging?’
Under section 55 of the Data Protection Act 1998 it is a criminal offence to unlawfully obtain or access personal data. The offence is punishable by way of a financial penalty of up to £5,000.00 if the matter is tried in a Magistrates Court, or an unlimited fine in the Crown Court. ‘Data blaggers’ are often perpetrators of this offence and use deceit to extract personal data from people or organisations.
Examples of ‘data blagging’
A typical case involving a breach of section 55 is that of Lara Davies, who was fined in December 2012. Ms. Davies was a bank employee who used her position at work to access the bank statements of her partner’s ex-wife, so that the information could be used in a dispute regarding their divorce settlement.
Although Ms. Davies pleaded guilty to 11 offences under section 55 of the Data Protection Act 1998, she was ordered to pay a fine of only £500.00 (plus a victim surcharge of £15.00 and prosecution costs of £1,410.80). Clearly Ms. Davies intentionally accessed this information and abused the position of trust that she was in at the bank to do so and yet the fine was extremely modest.
As the Information Commissioner, Christopher Graham, commented –
‘The only surprise here is that – in an age where our personal information is being stored and accessed by more organisations than ever – the penalties for abusing the system are so inadequate.’
However, the Davies case is not unusual. There are a number of cases where the guilty party has used their job to obtain information about those related to, or connected with them. In January 2012 a former Health Care Assistant, Ms. Juliah Kechil accessed the medical records of 5 members of her ex-husband’s family in order to obtain their telephone numbers. Like Ms. Davies she was convicted under section 55 and fined £500.00 (plus a £15.00 victim surcharge and £1,000.00 towards prosecution costs). Another worker in the health care sector, Ms. Usha Patwal, was ordered to pay £614.00 in costs after she obtained her sister in law’s medical details by contacting her doctors’ surgery and pretending to be a hospital employee. Ms. Patwal was herself a receptionist at another medical centre and used her knowledge of how the healthcare system worked to ‘blag’ this information.
However, data thefts are not always carried out to simply further personal disputes. In February 2012 a letting agent was fined a paltry £200.00 (plus a £15.00 victim surcharge and £728.60 in costs) for trying to obtain details about a tenant’s finances from the Department of Work and Pensions (‘DWP’). The letting agent was trying to recover rent from the tenant and attempted to ‘blag’ information about the tenant’s benefits from the DWP. No information was disclosed in this case, as DWP staff became suspicious when the letting agent could not give the tenant’s middle name. When commenting on this case the Information Commissioner called for tougher penalties to be available for ‘data blagging’, thus bringing the punishments in line with ‘blagging’ that could be prosecuted under fraud legislation. He referred to the penalties available for Data Protection breaches as ‘chicken feed fines’.
Not all breaches are confined to one off data thefts. In some cases much larger scale breaches have become apparent. For instance, in November 2011 Mr. Ben-Ezra, a worker in the gambling industry pleaded guilty to unlawfully obtaining and selling personal data relating to over 65,000.00 online bingo players. Despite the vast scale of this data theft he was fined just £1,700.00 (and ordered to pay £830.80 in costs). The Information Commissioner pointed out that through the sales of this illegally obtained data Mr. Ben-Ezra was estimated to have made in the region of £25,000.00 and yet the punishment imposed on him did not reflect this.
The current situation
The cases reported above are not one offs, but examples of the data thefts and ‘blagging’ that still appears to be prevalent. Despite the furore that surrounding the phone hacking scandal, the Leveson enquiry and the closure of the News of the World, it is still not possible for a person found guilty of an offence under Section 55 of the Data Protection Act to be imprisoned for that offence. The Information Commissioner’s Office has been pushing for many years for a stricter regime, and the Justice Select Committee has called for changes to be made swiftly, but as yet nothing has changed. Section 77 of the Criminal Justice and Immigration Act 2008 gives the Secretary of State the power to introduce custodial penalties for breaches of section 55 of the Data Protection Act 1998 and hopefully in time amendments will be implemented.
At present then, this leaves data controllers in a difficult position. Whilst they can be subject to (arguably) substantial fines like that imposed on Sony, individuals who breach section 55 of the Data Protection Act cannot. Therefore care needs to be taken and organisations need to be wary of potential ‘blagging’ and/or thefts on two fronts, both from its own employees unlawfully accessing information and from external ‘blaggers’ trying to obtain information illegally.
It is often difficult to protect against a rogue employee, but steps should be taken to ensure that access to personal information is restricted to those that need it and is encrypted if appropriate. It will often be appropriate for employees to log into a computer system with a personal password, so that audit trails can be followed and thefts attributed to one person if suspicions do arise. I.T policies should make it clear to employees that their computer use can be monitored and that audit trails can be followed. Hopefully if an employee knows they are likely to be caught and dismissed if they steal data this will act as a deterrent, even if the fines imposed for a breach of section 55 do not.
The key to protecting your organisation and your customers/clients from an external ‘blagger’ is staff training and identity checks. Make sure your staff know what can and can’t be disclosed under the Data Protection Act and what information they need before they can disclose information to someone. As the DWP case above shows, ‘data blaggers’ can be stopped, but this often relies on well trained staff asking the right questions.
About the author
Natalie is a Partner and leads the Employment Law & HR team and specialises in education.
Published: Tuesday 19th March 2013
Categorised: Information Law