There is an important opportunity to influence future legislation that is being obscured by a controversy over protection for ‘whistle-blowers’
The Law Commission is in the middle of a consultation period (which ends on 3 April) relating to the legislation concerned with the protection of official data. The basic summary document can be accessed here. I won’t be tempted to get dragged into the controversy that has surrounded that consultation - at least not here (see me in the pub later, when I can give full vent to my half-informed views). If the controversy has passed you by and you want to explore it, there are interesting starter points here and here.
My aim in the blog post is to highlight the points raised in that consultation about personal information disclosure offences and, in particular, the Data Protection Act 1998, s 55. I fear that an opportunity to be heard on a matter of obvious interest to many SCL members may be missed.
This is what the summary document says on personal disclosure information offences and s 55 (the refs are to numbered paras in the full document):
4.1 Our consultation paper identifies over one hundred offences which deal with unauthorised disclosure and are contained in legislation other than the Official Secrets Acts 1911-1939; or 1989, referred to for convenience as “miscellaneous unauthorised disclosure offences”. Section 55 of the Data Protection Act 1998 is the most well-known and the most often invoked offence of this type.
4.2 Broadly speaking, these miscellaneous offences fall into two categories. The first category contains those offences which criminalise the disclosure of personal information held by public bodies, broadly defined. The second category contains those offences that criminalise the unauthorised disclosure of information concerning national security, such as information that relates to the enrichment of uranium.
4.3 We consider some of the difficulties with the law relating to the disclosure of personal information and ask whether consultees agree with our assessment that a full review of personal information disclosure offences is needed. The difficulties we have identified with the current law are examined comprehensively and include, for example, lack of uniformity in the drafting of the current law; inconsistency around whether consent is needed to commence prosecution and lack of uniformity around whether the recipient of the information is criminalised.
Do consultees have a view on whether a full review of personal information disclosure offences is needed? [4.59]
4.5 This chapter also examines some issues that our research has uncovered and which relate to the offence contained in section 55 of the Data Protection Act 1998.
Section 55 of the Data Protection Act 1998
4.6 Section 55 makes it an offence knowingly or recklessly to obtain, or to procure the disclosure to another of personal data without the consent of the data controller. This is a freestanding offence in the sense that, unlike most of the offences examined in the above section, it does not accompany a statutory information gateway. The offence can be committed by individuals in both the public and private sectors and the maximum sentence on conviction, either summarily or on indictment, is an unlimited fine. Prosecutions under section 55 of the Data Protection Act 1998 can only be brought by the Information Commissioner, or by the Crown Prosecution Service with the consent of the Director of Public Prosecutions.
4.7 Two important reforms to section 55 of the Data Protection Act 1998 Act were included in the Criminal Justice and Immigration Act 2008. First, section 77 of the 2008 Act gives the Secretary of State the power to make section 55 of the 1998 an imprisonable offence with a maximum sentence of 12 months’ imprisonment and/or a fine on conviction in the magistrates’ court; and two years’ imprisonment and/or a fine on conviction in the Crown Court. Before exercising the power to bring this provision into force, the Secretary of State must consult with the Information Commissioner, appropriate media organisations and other appropriate persons (Criminal Justice and Immigration Act 2008, s 77(4)). Although section 77 of the 2008 Act has been granted the Royal Assent, the Secretary of State has not yet exercised the power to bring it into force.
4.9 Secondly, section 78 of the 2008 Act inserts a new statutory defence into section 55 of the Data Protection Act 1998. This defence may be pleaded if the individual who disclosed the personal data was acting with a view to publishing “journalistic, literary or artistic material”; and with the reasonable belief that the disclosure, obtaining or procuring was in the public interest. Section 78 is not yet in force.
4.10 Our consultation paper identifies some problems relating only to the Data Protection Act 1998. These problems including the maximum available sentence (currently a fine) which does not necessarily seem capable of reflecting adequately the seriousness of the offence and the fact that the data controller is the victim of the unauthorised disclosure, rather than the individual whose personal data has been disclosed.
4.11 Given the problems we have identified with the offence, our provisional conclusion is that section 55 requires review to assess the extent to which it adequately protects personal information. (Although the offence in section 55 contains a number of deficiencies, we believe it is also worthy of note that it does demonstrate that it is possible to craft an overarching offence that protects personal information.)
4.12 Do consultees have a view on whether the offence in section 55 of the Data Protection Act 1998 ought to be reviewed to assess the extent to which it provides adequate protection for personal information? [4.85]