Data Protection Act penalties aren’t fit for purpose

Did you know snails can have as many as 50,000 teeth? Lions have a mere 30. Yet the prospect of the latter careering towards you with bloodthirsty intent is somewhat more terrifying. Forgive the tenuous link, but there’s an analogy with laws.


It’s not the range of offences we could be charged with that makes us afraid to break the law, but the severity of the punishment. Where data regulations are concerned, it is apparent that governments are either forgetting or ignoring this fact.

Putting aside the question of whether the EU’s taste for making new data laws is an albatross around the neck of business or a necessary protection for consumers, authorities in the UK are failing to convince anyone they are serious about enforcing the laws that already exist. I refer specifically to the Data Protection Act (DPA).

This is the centrepiece of all UK data legislation, as it covers the most crucial part of the public debate – what happens to personal data once it has been collected. We can argue ad nauseam about what kinds of personal data it’s appropriate for organisations to collect, and what level of consent should be required, but it’s all meaningless if there’s no incentive to keep the data safe.

At present, magistrates courts can impose fines of up to £5,000 and crown courts can give unlimited fines for criminal breaches of the DPA. But as information commissioner Christopher Graham told a parliamentary committee earlier this year, few cases get to crown court, so fines rarely exceed a few hundred pounds.

Graham himself calls this “chicken feed”. Civil liability can lead to higher fines, but individuals within organisations that misuse customer data need to know that they could go to prison. The consequences to consumers of their data being sold or illegally viewed are serious enough to warrant it.

It is clear that breaches of the Data Protection Act are getting out of control. Last week, a Freedom of Information request by Channel 4’s Dispatches programme revealed that nearly 1,200 civil servants were disciplined for inappropriately or unlawfully accessing personal records between April 2010 and March 2011.

The situation is likely to be just as bad in businesses. Though 80% hold sensitive personal data, only around 30% say they are “very confident” that it is adequately protected, according to research by software provider Varonis.

Anecdotally, too, there have been increased reports in the past year of cold calls by sales people, even when consumers have opted out of receiving them via the Telephone Preference Service. Though it can sometimes be hard to know where these calls originate, it is likely that data often reaches companies like this unlawfully.

The penalties associated with breaking the Data Protection Act are not fit for purpose. Either fines need to be high enough as a proportion of an organisation’s turnover to be punitive, or individuals must face the threat of a custodial sentence.

Only when the DPA is functioning properly will it become clear what other data laws are needed. Right now, we shouldn’t be talking about whether data regulation needs more teeth, but whether they need sharpening.



    Leave a comment