UK privacy watchdog wants to be able to send data thieves to prison

The UK's Information Commissioner has argued that the country's current fines system is manifestly inadequate to punish black market trading in stolen personal data, and the courts should be able to send the worst offenders to prison.

Currently, illicit data trading is unlikely to be punished by more than modest fines, irrespective of the severity of the crime and the profit made from it.

The ICO has used the real life case of an employee of a car rental firm to illustrate the inadequate consequences available to punish information theft.

Administrative assistant Sindy Nagra sold close to 28,000 of her employer's customer records, earning her £5,000 (A$10,450) in cash. The information contained customer details sent to the company by insurers, of people involved in traffic accidents. 

Nagra was caught out after the car rental company she worked for found that she had been looking at many more records than she was expected to process. Nagra was found to have photographed the records while they were displayed on her computer screen, working from home.

For this, Nagra was fined just over A$2000, plus A$200 as a "victim surcharge" and A$1800 in prosecution costs. She also lost her job, and claims to have no money to pay the fine, said the ICO.

The person who bought the purloined data, Iheanyi Ihediwa of Manchester, was fined a similar amount plus prosecution costs, as well as being ordered to destory the illegally obtained information.

Information commissioner Christopher Graham said that his office would like courts to have more options in cases like Nagra's, with suspended sentences, community service and even prison for more serious offending on the table.

"With so much concern about the security of data, it is more important than ever that the courts have at their disposal more effective deterrent penalties than just fines.

"People who break the criminal law by trading in other people's personal information need to know that they will be severely punished and could even go to prison," Graham said.

He added that the ICO has been pushing for stiffer punishment for information theft for over seven years, but that the demand remains on the backburner at Westminster.

While there are provisions to penalise organisations up to £500,000 (A$1,045,000), the ICO is limited in how it can enforce UK's Data Protection Act when it comes to individuals.