They're all at it

The information commissioner says the trade in personal data extends far beyond tabloid journalism. Dealers will supply anyone who pays
July 20, 2011

Journalists love talking about themselves and their trade. I know. For 25 years, I was one. But the unlawful trade in personal data by tabloid journalists is only part of a larger problem. Fleet Street is not even the biggest part of that problem—but it has been standing in the way of a solution.

Back in 2009, it was revealed that several T-Mobile employees were selling company contract data to competitor companies. At this time, I renewed the call of my predecessor Richard Thomas for a serious deterrent against such breaches of the Data Protection Act: namely, a custodial penalty. The press went into overdrive. I was accused of threatening journalists with jail and imperilling the existence of investigative journalism. (My predecessor had faced similar accusations.) At the Society of Editors conference that autumn, I told the delegates: “It’s so not about you.”

The trouble is that the most spectacular evidence we had of the unlawful trade did involve journalists: 305 of them, and 31 newspaper and magazine titles. They were the clients of Steve Whittamore, the private investigator whose customer base was exposed when the Information Commissioner’s Office (ICO) came to call in 2003.

In two reports to parliament in 2006, What Price Privacy? and What Price Privacy Now?, the ICO laid out the evidence of unlawful blagging of personal information. (See the findings in the charts opposite.) In this case, the users were journalists, but the dealers will supply anyone who is willing to pay. Five years on, very little has been done to sort out either the users or the dealers.

Certainly, tabloid journalists were some of the users of unlawfully obtained personal information. But only some. The problem actually involves a much bigger cast list—of lawyers, claims management companies, private investigators and scam merchants, to name but a few. And what about the dealers? Those who abuse their position of managing the millions of bits of personal data we lodge with service providers every time we buy something from a website, use a mobile phone, clock up loyalty points, register for internet banking, sign up with the local GP practice—or do almost anything else online. And what isn’t online, these days?

Every week I see details of data breaches involving local councils, doctors’ surgeries, phone companies, and so on. Sometimes it is carelessness—hard-pressed staff being tricked into giving out personal information to the wrong people. Other times it’s deliberate and venal: rogue employees making more than a bit on the side to supplement often low pay by selling leads and contacts to those with a need to know.

There is a huge market for personal information. Tabloid journalists will pay for a phone number when they are close to deadline, or more sensitive information when investigating a scandal (whether it’s a public scandal such as MPs’ expenses or a private scandal about who is sleeping with whom). Similarly, the private investigator or lawyer will pay for information that may be for a lofty or a base purpose. “No win, no fee” lawyers are on the lookout for cases, both good and bad. After all, merit is a matter of judgement.

It is horribly easy to blag information from a doctor’s surgery. “Hello. I’m Mr so-and-so. It’s about those tests.” Never fails. Armed with part of the story, a skilled blagger can get the rest. Got the address, get the phone number. Got the phone number, get the friends and family numbers. Got the friends and family, get the mobile. The NHS is particularly vulnerable because it is huge, dealing with highly sensitive information, overworked and under pressure. It is also undergoing the kind of reorganisation that leaves a disused hospital, full of cancer patients’ records, to be plundered by whoever follows the guys who break in to steal the electrics. (Belfast, since you ask.)

For those trying to stop this trade, the problem is that society has a 20th-century approach to a 21st-century problem. Passing on people’s information doesn’t feel too terrible—a victimless crime, no worse than pinching office stationery or making long-distance phone calls from work. But the results of data breaches—identity fraud, financial loss, bullying, harassment, witness tampering, jury nobbling, confidence trickery—are anything but victimless.

If anyone needs convincing of the modern scourge that is data crime they need look no further than the website It is promoted by the Office of Fair Trading and the Serious Organised Crime Agency in an attempt to combat the scam mail operators who prey on the vulnerable. Where do the lists of potential “suckers” come from if not from improperly accessed data?

The trouble is that our legislators and our courts have not caught up with the reality of data crime. The Data Protection Act 1998 prescribes a fine of up to a mere £5,000 in the magistrates court for a Section 55 offence of unlawful obtaining or supplying of personal information. When a dissident member of the British National Party posted details of the party’s entire membership on his website, the judge could only impose a modest fine since the defendant was on benefits. In the crown court the fine can be unlimited, but it is difficult to get such cases to that court.

Richard Thomas, my predecessor as information commissioner, called for a custodial penalty in these cases back in 2006. Why we still haven’t got that may emerge from the inquiry into the behaviour of the press. The penalty is there in the Criminal Justice Act 2008, yet mysteriously has not yet been brought into effect. This not very effective Sword of Damocles was supposed to be making journalists behave, but the lack of an effective deterrent has allowed the dealers in unlawfully accessed data to continue to ply their highly lucrative trade.

If we are serious about stopping this, one result of the current police investigations and the public inquiries must be a custodial penalty for breaches of section 55: up to two years on indictment and up to six months on summary conviction. Armed with that, the ICO could investigate breaches more speedily, and the dealers in data would know they faced the full range of possible court sanctions, not just the small fines that can be dismissed as a business expense. The threat of prison would also allow interviews under caution at the earliest stage of an investigation, and a record on the Police National Computer.

In the meantime, data protection regulators can only push businesses and consumers to take privacy more seriously. Businesses should help consumers to safeguard their personal information by developing products that have privacy as a default setting, with easy-to-understand advice about choosing safer options when going online. Consumers need to be better at guarding their identities and should not give everything away on social networking sites. They must be more demanding of companies; ones that do not respect our privacy or our intelligence do not deserve our business. Any more than does a newspaper, come to think of it.