Operation Millipede has brought the issue of data protection and the illegal gathering of information to the fore of the minds of both businesses and legal practitioners.
Businesses should be aware of the potential offences that can be committed under the Data Protection Act 1998 (DPA) and the penalties that can be imposed when they engage in information gathering exercises.
The companies being investigated under Operation Millipede may have committed a number of offences under the Data Protection Act by commissioning the illegal gathering of information.
Application of the Data Protection Act
As a preliminary point it is important for businesses to note that the DPA applies to personal data held in all formats, whether electronic, paper, audio, visual or digital records.
Personal data, as defined in the case of Durant v Financial Services Authority, is any recorded information about a living individual that can be identified from that data and other information which is in the possession of the data controller. It should be noted that this is quite a broad definition as it can relate not just to the data itself but to other relevant information in the hands of the controller.
However, in R v Julian Connor it was held that the prosecution needs to prove that the individuals named were alive at the time the data was obtained to come within the offences under the DPA which is perhaps more lenient towards data controllers.
Data Related Criminal Offences
The DPA sets out criminal offences which can only be instituted by the Information Commissioner or with the consent of the Director of Public Prosecutions.
Most pertinent to information gathering is Section 55(1) of the Act which holds that a person must not knowingly or recklessly, without the consent of the data controller, obtain, disclose or procure the disclosure of personal data or the information contained in personal data.
Any person who contravenes this is guilty of an offence.
Exceptions to the Section 55 Rule
There are notable exceptions to section 55(1), for example it does not apply if the obtaining, disclosure or procuring disclosure was necessary for crime prevention or detection.
It would also be sufficient to show that the obtaining, disclosure, or procuring was required or authorised under any enactment or under a court order.
Subsection (1) does not apply if the person acted in the reasonable belief that he had a right in law to obtain, disclose or procure the disclosure of the data.
The person may also claim under section 55(2) that he acted in the reasonable belief that he would have consent of the data controller if the data controller had have known of the obtaining, disclosing or procuring and the circumstances of it.
It is also a defence to show that the obtaining, disclosing or procuring was justified as being in the public interest.
Selling and Offering to Sell Personal Data
Sections 55(4) and 55(5) create offences of selling and offering to sell personal data that is obtained in contravention to subsection (1). It is essential to note that offers extend to advertisements and this differs from the usual common law interpretation that advertisements are usually mere invitations to treat.
Sanctions for Data Protection Breaches
In terms of punishment, there are no custodial sentences imposed under the DPA. Under section 60 the offences are punishable by a fine only. However, business managers should be aware that they may be prosecuted individually at the same time as the organisation.
For specialist advice contact Peter Gourri today by email PGourri@rollingsons.co.uk or telephone 0207 611 4848.
No comments:
Post a Comment