recent work

Christopher Graham, ICO: Unlawful use of personal information should be punishable by custodial sentence

Christopher Graham of the Information Commissioners Office will highlight the need for such action when he speaks with the Justice Select Committee this week.

Such a call comes days after the conviction of a bank cashier, who illegally accessed the files of a sex attack victim, ‘to build a picture of the woman who had accused her husband’. Sarah Langridge, who had previously worked for Barclay’s Bank claimed she accessed the victim’s accounts, and was fined £800, £400 costs and £15 victim’s surcharge.

Mrs. Langridge was discovered to have carried out the offence after the victim recognised her during court proceedings as someone who worked in her bank’s local branch. After contacting police about her concerns, it was proved that Langridge had accessed the victim’s account 8 times in 8 months – during the court case that found her husband convicted.

Information Commissioner, Christopher Graham, said:

“It beggars belief that – in an age where our personal information is being stored and accessed by more organisations than ever – the penalties for seriously abusing the system still do not include the possibility of a prison sentence, even in the most serious cases. Access to online records is now part and parcel of almost every transaction the citizen makes – with government agencies, local government, the NHS, DVLA, high street banks, insurers, and social networks. This only makes the risks to privacy greater and the need for security greater still.

“The details of this case are truly shocking. The victim had a harrowing enough experience at the hands of her attacker; the revelation that her attacker’s wife was then rooting through all her personal details, for whatever purpose, would have caused even further distress.

“I note the outcome of this latest case, and I remain concerned that the courts are not able to impose the punishment to fit the crime in all cases, because the current penalty for this all too common offence is limited to a fine rather than the full range of possible sentences, including prison for the most serious cases,” Mr. Graham said.

Section 55 of the Data Protection Act makes it an offence to “knowingly or recklessly, without the consent of the data controller, obtain or disclose personal data.” The current penalty for committing the offence is a maximum £5,000 fine if the case is heard in a Magistrates Court and an unlimited fine in a Crown Court.