Traders in illicitly obtained personal information should be jailed for up to two years, according to the information commissioner, Richard Thomas.
Thomas this week became the first commissioner to use his special powers under the Data Protection Act to present a report to Parliament warning of the "pernicious" and "pervasive" trade in data such as bills, addresses, and bank and health records.
For such crimes, violators face only a fine of up to £5,000 in a Magistrates' Court. By contrast, the trade is highly lucrative, according to the results of an investigation by the Information Commissioner's Office. One agent involved in tracing individuals charged up to £120,000 per month, while telephone account information sold for £750 a go.
Thomas' report, What Price Privacy? proposes prison sentences of up to two years for those convicted by crown courts, and up to six months for those found guilty by magistrates. "Low penalties devalue this serious data protection offence in the public mind and mask the seriousness of the crime, even within the judicial system," Thomas said. "They do little to deter those who seek to buy or supply private information that should remain private."
In contrast to what might be expected, information was often pieced together by low-tech social engineering methods, rather than through high-tech fraud or online attacks, according to the report. Traffickers bribed staff or impersonated officials or the individuals they sought information on.
The purchasers were ultimately financial institutions and local authorities tracing debtors, estranged spouses and journalists, as well as fraudsters. The information was purchased via private investigators, often through several intermediaries.
In one case, an agent was hired by a reputable City law firm via a private detective to obtain bank account details. The agent obtained the target's mother's maiden name by telephoning the 80 year old mother, claiming to be an HM Revenue & Customs representative. He was recently fined £250 each for two offences, and pleaded guilty to six further data offences, for which he wasn't penalised.
The NUJ criticised Thomas' proposal, protesting that journalists do not buy illicit personal information solely in order to find out prurient details about celebrities. On the contrary, they had a legitimate need to use "exceptional means to investigate exceptionally important matters" in the public interest, "where all other methods have been exhausted", the NUJ said in a statement.
The NO2ID campaign, which is protesting the government's introduction of pseudo-compulsory ID cards, applauded Thomas' concern, but said penalties were unlikely to work.
What's more, "wholesale abuses of privacy, like that just revealed at the (Department of Work and Pensions), will be as nothing compared to the damage that could be done by the creation of the so-called National Identity Register," said NO2ID national coordinator Phil Booth, in a statement.