Information Commissioner Richard Thomas wants those who trade in illegally obtained personal data to be jailed for as long as two years.
Thomas this week became the first commissioner to use his special powers under the Data Protection Act to present a report to Parliament warning of the "pernicious" and "pervasive" trade in data such as bills, addresses and bank and health records.
For such crimes, violators face only a fine of up to £5,000 in a Magistrates' Court. By contrast, the trade is highly lucrative, according to the results of an investigation by the Information Commissioner's Office. One agent involved in tracing individuals charged up to £120,000 per month, while telephone account information sold for £750 a go.
Thomas's report, What Price Privacy?, proposes prison sentences of up to two years for those convicted by crown courts, and up to six months for those found guilty by magistrates. "Low penalties devalue this serious data protection offence in the public mind and mask the seriousness of the crime, even within the judicial system," Thomas wrote. "They do little to deter those who seek to buy or supply private information that should remain private."
In contrast with what might be expected, information was often pieced together by low-tech social engineering methods, rather than through high-tech fraud or online attacks, according to the report. Traffickers bribed staff or impersonated officials or the individuals they sought information on.
As well as fraudsters, the purchasers included journalists and financial institutions and local authorities tracing debtors. The information was purchased via private investigators, often through several intermediaries.
In one case, an agent was hired by a reputable City law firm via a private detective to obtain bank account details. The agent obtained the target's mother's maiden name by telephoning the 80-year-old mother, claiming to be an HM Revenue & Customs representative. He was recently fined £250 each for two offences, and pleaded guilty to six further data offences, for which he wasn't penalised.
The NUJ (National Union of Journalists) criticised Thomas's proposal, protesting that journalists do not buy illicit personal information solely in order to find out prurient details about celebrities. On the contrary, they had a legitimate need to use "exceptional means to investigate exceptionally important matters" in the public interest "where all other methods have been exhausted", the NUJ said in a statement.
The NO2ID campaign, which is protesting against the government's introduction of ID cards, applauded Thomas's concern, but said penalties were unlikely to work.
"Wholesale abuses of privacy, like that just revealed at the [Department of Work and Pensions], will be as nothing compared to the damage that could be done by the creation of the so-called National Identity Register," added NO2ID national co-ordinator Phil Booth, in a statement.
This story first appeared on Techworld.com.