Monday, 6 April 2009

Data Protection - A Comparative View of Jersey and the UK

"Well, they let me go in the end - after 7 hours in a police HQ cell. To those of you who don't know what I'm speaking of - I was arrested in a raid on my home this morning. Apparently - alleged breaches of the data protection law merited me being seized as I stepped out of my home - with 4 unmarked police cars and at least 8 police officers proceeding to turn over my home."
The senator and former health minister is thought to have spent six hours in custody helping police with inquiries
It's believed he could face charges under article 55 - 'unlawfully obtaining documents and unlawfully disclosing them

Apart from two cases in the UK, I cannot find any other cases of anyone being held in custody for breaking the Act. Seven hours to be held for this offense seems an extremely long time, and could be seen as a form of duress.

The two cases in question are Andrew Broom, who was a police officer in the UK found guilty of breaking the Data Protection Act; he obtained personal information from the police database and harassed a woman (who can not be named for legal reasons). Andrew Broom admitted three offences of breaching the Data Protection Act by obtaining personal information, and pleaded guilty to putting a person in fear of violence by harassment. It is clear that the latter offense led to his remand in custody, rather than the breach of the Act.

The other case is also a policeman, Graham Pryce-Jones, who had obtained the criminal records of his partners son and given her a print out. He was sentenced to a 12-month conditional discharge and made to pay costs. While he was not actually sent to prison, rather a conditional discharge, it shows that the courts are starting to take the offence more seriously.

Other breaches by Orange (the mobile phone company) and Littlewoods have resulted in formal undertakings, rather than fines. Following its investigation, the ICO found that Orange was not keeping its customers' personal information secure and therefore was in breach of the Data Protection Act. In a separate investigation the ICO ruled that Littlewoods Home Shopping had failed to process customers' data in line with the Data Protection Act. This follows a customer's attempt to stop the company using her personal data for direct marketing purposes. Despite her requests Littlewoods continued to send her marketing materials. The ICO has now required each company to sign a formal undertaking to comply with the Principles of the Data Protection Act. The story reports that:

Dr Chris Pounder of Pinsent Masons, and Editor of Data Protection and Privacy Practice, said: "This action is evidence that the Information Commissioner is using undertakings as a way of increasing his leverage against data controllers. Where an assessment by him concludes that a data controller has failed in a key obligation under the Act, then the Commissioner is asking for an undertaking that 'it won't happen again'. This ensures that if something were to happen again, the Commissioner can proceed to immediately to enforcement. It is only when there is a further failure will criminal prosecution occur." "In other words, the Information Commissioner is trying to establish the data protection equivalent of the 'three strikes and you're out' rule," he said.

In Jersey, of course, the other well-known States Member known to have breached the Data Protection Act is Senator Terry Le Main. In an e-mail sent to several States Members in February 2003 he named the woman and described her as 'not a fit person to be looking after children' after she vacated her house. An officer from Housing, and one from the Children's Service found this to be completely unsubstantiated. After visiting the tenant's property Deputy Le Main had telephoned the tenant's mother and disclosed details of her rent arrears. In doing so he breached the Data Protection Law for a second time. The Attorney General, William Bailhache, concluded that there was insufficient evidence to proceed despite receiving a report from the data protection registrar which criticised Deputy Le Main. Defiantly, in 2004, Terry Le Main has defiantly said he would 'do the same again' after he was told that he would not be prosecuted for breaking the Data Protection Law, especially given Le Main's statement (in the JEP) that - rather than giving an undertaking that he would comply in future - instead he defiantly said that he would flout the law again.

It will be interesting to see how any grounds for prosecuting Stuart Syvret differ from those for dropping the case against Terry Le Main.


No comments: