Usually, the ICO “names and shames” when a prosecution is brought and has resulted in a fine. In this case, it went public before the supposed data thieves have even been brought into court, even though T-Mobile understood that it was working in tandem with the watchdog to resolve the issue.
The scale and impact of the alleged theft may justify this early announcement. It appears that staff were taking data on customer contracts with their expiry dates and selling it to brokers who in turn may have sold it on to T-Mobile’s competitors. Thousands of contract customer records are involved which, with a market value of at least £1 each, will have netted the thieves and their agents a lot of money.
What is clear is that Christopher Graham intends to be active in his role as enforcer of data protection legislation and is moving early to make an impact. He is determined to use the new powers to fine which his office gains from April next year.
Which is where the timing of the T-Mobile theft gets interesting because the ICO does not feel that fines are a sufficient deterrent – he is arguing for the law to be further changed to allow custodial sentences for breaches of the Data Protection Act. He recently made a submission making the case to the Ministry of Justice, which is in the middle of a consultation process over changes to the DPA.
What better to get the attention of legislator’s than a high-profile data theft, involving a household name brand and which directly impacts on ordinary consumers through unwelcome sales calls? Far easier for MPs and public servants to understand than the more abstract issues of compliance and data governance.
The theft from T-Mobile is to be decried and pursued with the full force of law, of course. If proven, it shows that staff are all too willing to cash in by stealing data and that stronger deterrents are needed. What is less certain are the ICO’s motives in going public when the victim of the theft was still presuming the right to privacy.
David Reed, Editor, Data Strategy