The penalties for data theft are so low, most perpetrators are willing to risk getting caught, despite the latest prosecution of a man who purloined company data to set up his own business.
That is the view of Information Commissioner Christopher Graham, who has yet again renewed his call for stiffer penalties – including prison terms – for data thieves, amid claims the current regime makes theft “worth the risk”.
His comments follow the prosecution of Paul Hedges, a former manager of a health service at a Southampton leisure centre, who stole sensitive medical information relating to nearly 2,500 patients, hoping to use it for a new fitness company he was setting up.
Hedges, who previously worked as a community health promotions manager based at Bitterne Leisure Centre, in Hampshire, sent the information to his personal email account on 28 April 2011 after being told that he was being made redundant.
The 42-year-old had previously been responsible for managing the council’s Active Options GP referral service, where patients would be referred by their GP or other health professionals to attend fitness sessions, for a range of conditions including obesity, diabetes, arthritis, and cardiac and mild mental health issues.
However, Hedges made one fatal error, by contacting previous patients using the Active Options name and branding, sparking complaints to the local council.
The Information Commissioner’s Office was informed of the issue and initiated prosecution proceedings. West Hampshire Magistrates Court fined him £3,000 and ordered him to pay a £15 victim surcharge and £1,376 prosecution costs.
Graham, said: “This case shows why there is a need for tough penalties to enforce the Data Protection Act. At very least, behaviour of this kind should be recognised as a ‘recordable offence’ which it isn’t now.
“For the most serious cases the current ‘fine only’ regime will not deter and other options including the threat of prison should be available. The necessary legislation is already on the statute book but needs to be activated.
“The Government must ensure criminals do not see committing data theft as worth the risk.”
Lenient data theft sentence vilified
MPs back ‘lock up data thieves’ call
Fresh call to bang up data thieves
Brands face threat of ‘data raids’
ICO tries ‘softy, softly’ audit plan
ICO fines ‘wake-up call for brands’