The Seven Year Dither

September 9, 2013

The latest blog post from {Information Commissioner Christopher Graham:} addresses the issue of what the ICO is doing about the list of names of prominent companies and law firms that was handed over to the ICO by SOCA. The list had been compiled as part of Operation Millipede, which culminated in SOCA’s successful prosecution of some private investigators for a range of offences relating to the unlawful acquisition of information. Some members of the press are in the dock too for related offences.

I have no issue with Christopher Graham’s approach to the investigation of whether any of the names on the list have been involved in offences. Nor do I disagree with the suggestion that the names on the list should remain confidential for now. The fact that members of the press have suffered by being named and having their names dragged through the gutter (aka media) gave some satisfaction (the biter bit and all that) but the press enthusiasm for the same fate to befall others is reminiscent of those thirsting to carry out school initiation ceremonies because they still bear the scars of their own.

Where I have a problem with Christopher Graham is in his soft-shoe shuffle from list confidentiality to what he (not entirely unfairly) describes as a Seven Year Dither over the implementation of the powers introduced by the Criminal Justice and Immigration Act 2008, s 77 to make an offence under the Data Protection Act 1998, s. 55 an imprisonable offence. The mathematicians among you, at least those aged 5 and over, will note that seven years have yet to pass since the Act was passed but the Information Commissioner is starting his countdown from the ICO’s first suggestion that the law needed tightening up. His assumption, that anything other than a leap from suggestion to law counts as dither, would make the Queen of Hearts blush but nobody can deny that there has been a fair amount of dithering going on – three years at least.

While I was shocked by the low level of fine imposed in the case of Victoria Idowu, the probation officer who revealed a domestic abuse victim’s new address to the alleged perpetrator and was fined £150, the main run of prosecutions for s 55 offences have resulted in fines that seemed proportionate. It has to be remembered that low fines mainly result from the low means of the offender, who has (in all probability) lost his or her job and is surviving on benefits.

Christopher Graham makes the case that the failure to implement s 77 of the 2008 Act is a failure to take blagging seriously:
‘The grubby reality is that anyone blagging sensitive personal information from your local GP surgery undermines the entire process, at a risk of receiving just a £150 fine. And so long as the crime of blagging isn’t taken seriously by the authorities we’re building the digital future on some very rocky foundations. Keith Vaz and his Select Committee continue to focus on whether the private investigator client list should be published. But surely effective regulatory action is what is needed, rather than a day’s headlines. If MPs really want to do something to stop the blagging they should demand that ministers stop shilly shallying and implement the tougher penalties that recognise the blagging problem for the scourge that it is.’

The trouble with this stance is that it does not fit with the facts. Most prosecutions under s 55 have nothing whatsoever to do with ‘blagging’. Ms Idowu certainly did no blagging. Secondly, contrary to the specific suggestion by Christopher Graham, blaggers do go to jail. Operation Millipede, which was very much concerned with blagging, led to charges of fraud and related offences and the private investigators received jail terms. Most blagging, even the socially acceptable kind, involves an offence under the Fraud Act 2006. Other offences might also come into play where there is serious criminal behaviour – it is, for example, hard to see why Ms Idowu was prosecuted {i}by the ICO{/i} under s 55 when the offence of misconduct in a public office (an imprisonable offence) appears to have been available. In my view, many of those prosecuted for s 55 offences could have been prosecuted for fraud or under the Computer Misuse Act. Why prosecute the easy offence if you really feel that the imposition of serious penalties is the only way for data protection to be given its proper importance? My immediate reaction to the first ICO press release on the list handed to them by SOCA was to wonder why they were only thinking in terms of s 55 prosecutions. If the behaviour that their investigation reveals is sufficiently serious criminal behaviour, I hope that they will stop dithering and open their eyes to the other possibilities that are open to them.

I doubt that Christopher Graham actually wants Dartmoor to get a {new E-wing:} full of s 55 offenders – he just wants such offences taken seriously. It is a sad fact that you cannot impose a community sentence unless the offence is imprisonable – Ms Idowu’s conduct cried out for a community sentence – and that is not going to alter soon (although I am not personally convinced by the link between the two).

What I do agree with Christopher Graham on is that the dither should stop. The latest excuse for further consultation was thin. If the Government thinks that there are real problems with implementing s 77 of the 2008 Act then it might like to repeal it so that we don’t have constant replays of this argument for the next five years.