They’re all at it

Prospect Magazine

They’re all at it


The information commissioner says the trade in personal data extends far beyond tabloid journalism. Dealers will supply anyone who pays

Journalists love talking about themselves and their trade. I know. For 25 years, I was one. But the unlawful trade in personal data by tabloid journalists is only part of a larger problem. Fleet Street is not even the biggest part of that problem—but it has been standing in the way of a solution.

Back in 2009, it was revealed that several T-Mobile employees were selling company contract data to competitor companies. At this time, I renewed the call of my predecessor Richard Thomas for a serious deterrent against such breaches of the Data Protection Act: namely, a custodial penalty. The press went into overdrive. I was accused of threatening journalists with jail and imperilling the existence of investigative journalism. (My predecessor had faced similar accusations.) At the Society of Editors conference that autumn, I told the delegates: “It’s so not about you.”

The trouble is that the most spectacular evidence we had of the unlawful trade did involve journalists: 305 of them, and 31 newspaper and magazine titles. They were the clients of Steve Whittamore, the private investigator whose customer base was exposed when the Information Commissioner’s Office (ICO) came to call in 2003.

In two reports to parliament in 2006, What Price Privacy? and What Price Privacy Now?, the ICO laid out the evidence of unlawful blagging of personal information. (See the findings in the charts opposite.) In this case, the users were journalists, but the dealers will supply anyone who is willing to pay. Five years on, very little has been done to sort out either the users or the dealers.

Certainly, tabloid journalists were some of the users of unlawfully obtained personal information. But only some. The problem actually involves a much bigger cast list—of lawyers, claims management companies, private investigators and scam merchants, to name but a few. And what about the dealers? Those who abuse their position of managing the millions of bits of personal data we lodge with service providers every time we buy something from a website, use a mobile phone, clock up loyalty points, register for internet banking, sign up with the local GP practice—or do almost anything else online. And what isn’t online, these days?

Every week I see details of data breaches involving local councils, doctors’ surgeries, phone companies, and so on. Sometimes it is carelessness—hard-pressed staff being tricked into giving out personal information to the wrong people. Other times it’s deliberate and venal: rogue employees making more than a bit on the side to supplement often low pay by selling leads and contacts to those with a need to know.

There is a huge market for personal information. Tabloid journalists will pay for a phone number when they are close to deadline, or more sensitive information when investigating a scandal (whether it’s a public scandal such as MPs’ expenses or a private scandal about who is sleeping with whom). Similarly, the private investigator or lawyer will pay for information that may be for a lofty or a base purpose. “No win, no fee” lawyers are on the lookout for cases, both good and bad. After all, merit is a matter of judgement.

It is horribly easy to blag information from a doctor’s surgery. “Hello. I’m Mr so-and-so. It’s about those tests.” Never fails. Armed with part of the story, a skilled blagger can get the rest. Got the address, get the phone number. Got the phone number, get the friends and family numbers. Got the friends and family, get the mobile. The NHS is particularly vulnerable because it is huge, dealing with highly sensitive information, overworked and under pressure. It is also undergoing the kind of reorganisation that leaves a disused hospital, full of cancer patients’ records, to be plundered by whoever follows the guys who break in to steal the electrics. (Belfast, since you ask.)

For those trying to stop this trade, the problem is that society has a 20th-century approach to a 21st-century problem. Passing on people’s information doesn’t feel too terrible—a victimless crime, no worse than pinching office stationery or making long-distance phone calls from work. But the results of data breaches—identity fraud, financial loss, bullying, harassment, witness tampering, jury nobbling, confidence trickery—are anything but victimless.

If anyone needs convincing of the modern scourge that is data crime they need look no further than the website It is promoted by the Office of Fair Trading and the Serious Organised Crime Agency in an attempt to combat the scam mail operators who prey on the vulnerable. Where do the lists of potential “suckers” come from if not from improperly accessed data?

The trouble is that our legislators and our courts have not caught up with the reality of data crime. The Data Protection Act 1998 prescribes a fine of up to a mere £5,000 in the magistrates court for a Section 55 offence of unlawful obtaining or supplying of personal information. When a dissident member of the British National Party posted details of the party’s entire membership on his website, the judge could only impose a modest fine since the defendant was on benefits. In the crown court the fine can be unlimited, but it is difficult to get such cases to that court.

Richard Thomas, my predecessor as information commissioner, called for a custodial penalty in these cases back in 2006. Why we still haven’t got that may emerge from the inquiry into the behaviour of the press. The penalty is there in the Criminal Justice Act 2008, yet mysteriously has not yet been brought into effect. This not very effective Sword of Damocles was supposed to be making journalists behave, but the lack of an effective deterrent has allowed the dealers in unlawfully accessed data to continue to ply their highly lucrative trade.

If we are serious about stopping this, one result of the current police investigations and the public inquiries must be a custodial penalty for breaches of section 55: up to two years on indictment and up to six months on summary conviction. Armed with that, the ICO could investigate breaches more speedily, and the dealers in data would know they faced the full range of possible court sanctions, not just the small fines that can be dismissed as a business expense. The threat of prison would also allow interviews under caution at the earliest stage of an investigation, and a record on the Police National Computer.

In the meantime, data protection regulators can only push businesses and consumers to take privacy more seriously. Businesses should help consumers to safeguard their personal information by developing products that have privacy as a default setting, with easy-to-understand advice about choosing safer options when going online. Consumers need to be better at guarding their identities and should not give everything away on social networking sites. They must be more demanding of companies; ones that do not respect our privacy or our intelligence do not deserve our business. Any more than does a newspaper, come to think of it.

  1. July 22, 2011

    Bruce Dickson

    Are we crippling our PM by removing his private unvetted and unchaperoned MI-type agent?
    On balance this seems right. Our global probity and motivating pride are more important than his parochial strengths. Plus suspicion of polity and hubris would destroy faith in him.
    Especially as all on the net are part of the evolving global immune system. Has it not started to shrink and even excise a few multinational cancers? As well as offer to pierce the MR bubble around sensible leaders.

  2. August 7, 2011

    Contessa Kopashki

    manipulation of identity by the individual and those with nefarious motives is well established. the weighty baggage of personal data we are expected to manage and protect throughout our lifetime provides ample opportunity for misidenitification, morphing, cloning and impersonation.

    the illegal trade in private data transfer is well lubricated by lax identity protection, both by individuals and organisations. as individuals we all too readily give our data on request and as custodians we bow too easily to the demands of assumed officials who demand our data.

    the ease of online data mining, lack of e-signatures and implicit trust placed in all things technological makes a sitting duck of anyone with information in a database. in large organisations too many people have access to too much data; the ones with access to the most sensitive data (IT, HR, accounts) are rarely vetted or scrutinised to a degree that would expose wrongdoing.

    ‘accidental’ data leaks are often orchestrated mass transfer of data from owner to profiteer. few of low morals would turn down the opportunity to reap the rewards on offer from low risk data theft? it may be unpopular but three steps towards a solution might be:

    - more stringent security vetting and monitoring of database access patterns
    - introduction of an e-signature which can be linked to an established id method
    - reduction in the number of individuals with authority to access sensitive data

    The private data market is the foundation of two thriving industries: commercial fraud and tabloid journalism. It is unlikely that either can be put of business but effective policing can bring them to heel. And when they grow too big for their boots they can be put out in the cold.

  3. December 2, 2011

    Ted Ditchburn

    The problem spreadbeyond ‘jorunalists’ as the private investigators (who invariably link into Police forces as they are often ex policemen) began driving the process. ‘Journalists’ became in effect merely the secretarial office putting the story into a form suitable for the paper…but they didn’t ‘get’ the story and by and large they couldn’t check the story.

    On a completely different, but related, track the rise of twitter and ‘Citizen Journalism’ are producing similar disenfranchisment of ‘real journalism’… reporters today are people who sit on twitter trying to decide whether the tweets are lies, damned lies, or ‘a story’….

    I hope the Leveson Inquiry will prove a catalyst for the a renewal of journalism as a profession but my fear is that the tectonic forces that earlier produced the phone hacking, and ‘agreed celebrity snatch pic’, and now produce Twitter and facebook based stories are simply too strong— in the brave new world of disntermediated media and the disregard of copyright by new media companies it is hard to see how what we have known as journalism for a couple of hundred years finds the oxygen it needs.

Leave a comment


Christopher Graham
Christopher Graham is the Information Commissioner, enforcing the Freedom of Information Act and the Data Protection Act 

Share this

Most Read

Prospect Buzz

  • Prospect's masterful crossword setter Didymus gets a shout-out in the Guardian
  • The Telegraph reports on Nigel Farage's article on Lords reform
  • Prospect writer Mark Kitto is profiled in the New York Times

Prospect Reads

  • Do China’s youth care about politics? asks Alec Ash
  • Joanna Biggs on Facebook and feminism
  • Boris Berezosky was a brilliant man, says Keith Gessen—but he nearly destroyed Russia