ICO supports prison sentences for serious breaches
In a response to an MoJ call for evidence, the ICO says it supports prison sentences for serious breaches of the Data Protection Act.


The most serious breaches of the Data Protection Act should carry with them the threat of imprisonment, according to information commissioner Christopher Graham.
In the Information Commissioner's Office (ICO) response to a Ministry of Justice call for evidence on the effectiveness of the European Data Protection Directive and the Data Protection Act (DPA), the watchdog said prison sentences should be a deterrent against breaking the law.
"It is widely evidenced that the greatest threat to information security in organisations is individuals, yet the DPA only provides for a fine for those individuals who knowingly or recklessly obtain or disclose personal data, or procure someone else to do this for them," the body said.
"The information commissioner considers that the trade in personal information justifies the possibility of a custodial sentence for the most serious offences."
Currently, individuals who breach the DPA can be issued with a 5,000 in the Magistrates Court, or an unlimited fine in the High Court.
Introduction of prison sentences was agreed on in 2008, but no one has been punished with a custodial sentence to date.
The response also noted the commissioner's support for enforced notification, again for more serious breaches.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
"Although there is currently no legal obligation on data controllers to report breaches of security which result in loss, release or corruption of personal data, the information commissioner believes serious breaches should be brought to the attention of his office," the ICO said.
However, if disclosure does become a requirement, there needed to be a better definition of what constitutes a serious breach "on the basis of risk," the body suggested.
"If all security breaches are to be notified, this could create the potential for huge and disproportionate administrative burdens for both businesses who have to notify breaches regardless of their seriousness, and for the regulator who has to administer those breach notifications," the watchdog added.
"This could divert scarce resources from other, more effective regulatory activity."
Response to a response
Stewart Room, partner in Field Fisher Waterhouse's Privacy and Information Law Group, said the ICO's response was a safe one and it offered nothing "innovative."
The only area where Room saw the ICO coming unstuck was in the watchdog's call for direct regulation of data processors.
"My main reason for saying that is that I think the regime works alright. I don't think it needs to change," he told IT PRO.
Room did agree, however, with the commissioner's call for the amendment to section 13 of the DPA, which would give people rights to pursue compensation claims for distress, regardless of whether they had suffered financial loss.
"The amendment to section 13, it seems an inevitable outcome," he said.
"The problem for the Government is that if they resist that change then they are putting themselves on the wrong side of the debate, they are arguing the losing position. They are also putting themselves on the opposite side to the UK citizen, or the voter."
Room also said the commissioner was wrong to not call for greater financial powers.
"This is where I feel the commissioner is not serving data protection well," he added.
"Half a million pound fine, I know as a fact from what people have told me, they consider it to be a joke and they are not factoring it in."
Tom Brewster is currently an associate editor at Forbes and an award-winning journalist who covers cyber security, surveillance, and privacy. Starting his career at ITPro as a staff writer and working up to a senior staff writer role, Tom has been covering the tech industry for more than ten years and is considered one of the leading journalists in his specialism.
He is a proud alum of the University of Sheffield where he secured an undergraduate degree in English Literature before undertaking a certification from General Assembly in web development.
-
CISA issues warning in wake of Oracle cloud credentials leak
News The security agency has published guidance for enterprises at risk
By Ross Kelly
-
Reports: White House mulling DeepSeek ban amid investigation
News Nvidia is caught up in US-China AI battle, but Huang still visits DeepSeek in Beijing
By Nicole Kobie
-
Labour calls for investigation into Hancock's use of private email
News Reports claim the former health secretary "routinely" breached guidelines by using his personal Gmail for government business
By Bobby Hellard
-
TikTok to open first European data centre in Ireland
News The move could signify a desire to shift its operations away from the US as well as secure its position in the European market
By Sabina Weston
-
MPs in a muddle over GDPR and storing voters' personal data
News Labour MP Chris Bryant says his staff were told to delete constituents' data
By Bobby Hellard
-
Trump resort will not be charged for breaching data laws
News Presidential hopeful's Scottish golf course failed to register under the Data Protection Act for four years
By Adam Shepherd
-
Banks urged to share data but warned over security
News Experts voice concern over security of open API recommendations
By Rene Millman
-
EU centralises European open data through one portal
News Open Data Portal will enable public sector bodies to share information
By Rene Millman
-
Experts question sheer scale of data storage required by Snooper's Charter
News Who will foot bill for physical infrastructure to house UK's browsing histories?
By Jane McCallion
-
Snapchat's T&Cs update could put user data at risk
News Kaspersky said giving the service permission to share pictures with third parties could lead to a serious breach of privacy
By Clare Hopping