Under current law, breaches of the Data Protection Act can only be punished with fines through the courts.
The U.K. government is proposing to amend the law, which makes it an offense to obtain, disclose or procure the disclosure of personal information knowingly or recklessly without the consent of the data controller (with some exceptions). The government wants to increase the penalties for misuse of personal data to allow for up to six months' imprisonment on summary conviction and up to two years in jail if convicted on indictment. These are in addition to the existing fines.
The Department for Constitutional Affairs (DCA) will first undertake a public consultation on the new sentencing proposals (click here for PDF).
The government's change in tack follows a warning by Richard Thomas, the U.K.'s data protection watchdog information commissioner, that current penalties are not proving an effective deterrent to What Price Privacy?". He made the warning in a report released earlier this year, called "
Responding to the news of the DCA consultation, Thomas said: "These proposals will help by ensuring that anyone who might be tempted to misuse personal information for private gain knows that they could go to prison if they do so."
The Lord Chancellor, Lord Falconer, who is responsible for the functioning of British courts, said the new punishments will cover "deliberate and willful misuse" of personal information and that front-line public sector staff who make an error of judgment while sharing data will not be penalized.
The DCA consultation is open until Oct. 30, 2006.
Andy McCue of Silicon.com reported from London.