The Panama scandal has been brought about by an anonymous source allegedly hacking the data centre of a law firm in Panama.
The so-called “Panama Papers” were obtained from an anonymous source by German daily Sueddeutsche Zeitung and shared with media worldwide by the International Consortium of Investigative Journalists (ICIJ).
In the wake of the scandal we examine the current data protection legislation in the UK.
The Data Protection Act 1998 (DPA) created a number of criminal offences that affect both individuals and organisations. It came into force in March 2000 and has had widespread repercussions on how individuals and organisations govern their information processing procedures. There have been a number of criminal prosecutions in this area and whilst the offences created by the DPA are punishable by way of a fine only, defendants have found themselves prosecuted under different charges, such as conspiracy to defraud or misconduct in public office, which can of course carry sentences of imprisonment. This is because prosecuting authorities do not want to be limited to the weak sentencing powers of the current data protection legislation.
The DPA applies to personal data and how it is used by data controllers. The data itself needn’t be in a particular format – it can be held electronically, in paper, audio, visual or digital records.
“Personal data” is any recorded information about a living individual that can be identified from that data and other information, which is in the possession of the Data Controller.
Personal data can still be regarded as personal even if the information is already in the public domain, and the information required to meet the definition of “information contained in personal data” need not be detailed. In R v Rooney (Jacqueline Mary)  EWCA Crim 1841 it was argued that by the defendant, only revealing the town in which a person lived, did not amount to personal data and that the full address was required to meet that test. The Court of Appeal rejected this argument and said that to disclose the town in which a person lived was “information contained in personal data” under section 55 1(1) DPA.
Processing, under the terms of the DPA, covers any means by which personal data can be dealt with, including its collection, use, storage, disclosure and amendment. For that reason, if an individual or organisation were to simply possess such data, that would still amount to processing.
For all of these reasons the DPA has widespread application and the criminal offences can bite in cases of partial disclosure or processing.
Section 55(1) DPA unlawful obtaining etc of personal data.
It is an offence to knowingly or recklessly obtain, disclose or procure the disclosure of personal information without the consent of the data controller.
This offence can of course be committed in many different ways, such as “hacking” or “blagging”. An employee of a data controller can access an information database and obtain an individuals name, address and telephone number, for example. There have been cases in which an employee has obtained such information and disclosed it to a third party for their own purposes.
It seems that the original thinking in the Panama Papers scandal was that the documents were obtained by an employee or insider, but the firm Mossack Fonseca, believe that the firm’s data security had been breached from an external source.
Section 55(2) sets out four defences to section 55(1). They are:
No doubt in the Panama Papers scandal the anonymous source would argue that the reason for the data breach was necessary for the purpose of preventing or detecting crime, although it seems highly unlikely that argument will ever be heard. The source that provided the documents to Süddeutsche Zeitung only communicated with a reporter using several encrypted messaging services, which meant that their conversations were hidden from view. The journalist also destroyed his own smartphone and laptop before publishing the first story on the scandal.
Section 55(4) and section 55(5) DPA create offences of selling and offering to sell personal data. An advertisement indicating that personal data is or may be for sale constitutes an offer to sell for the purposes of section 55 (5).
In the Panama papers the source refused to accept any money or other reward in return for the documents obtained.
The DPA contains a number of notification offences. This is where a data controller processes personal data but has not notified the Commissioner either that the processing is taking place or of any changes that have been made to that processing.
Section 17 DPA prohibits the processing of personal data without registration. Therefore, personal data must not be processed unless an entry in respect of the data controller is included in the register maintained by the Information Commissioner. Section 21(1) makes a contravention of section 17 an offence.
Section 20 DPA imposes a duty on data controllers to notify the Commissioner of any changes to their details or the way in which the controller processes personal data. Section 21 DPA makes it an offence to fail to comply with the duties imposed by section 21. Section 21(3) provides a defence to data controllers who can demonstrate that they exercised all due diligence to comply with their duty.
There are no custodial sentences in respect of DPA offences and no powers of arrest; all offences are punishable only by way of a fine (section 60 (2)). Search warrants are available to the Information Commissioner by virtue of section 50 and the powers outlined at schedule 9 of the DPA.
The Secretary of State has the power to alter the penalty for a section 55 offence under section 77 of the Criminal Justice and Immigration Act 2008, but has not yet done so. This, it seems, represents a long-term source of frustration of the Commissioner. In R v Summers (Daniel) Unreported 2012 (Crown Ct (Kingston)) the defendant “blagged” companies to reveal personal data to him. Rather than charging the defendant with a section 55 offence, the defendant was charged with others in a conspiracy to defraud. This of course exposed the defendants to a custodial sentence, rather than restricting the court to a financial penalty as section 55 would have done. Summers received two twelve month sentences of imprisonment which ran concurrently.
In response to the sentences the Commissioner said: “If SOCA had been restricted to pursuing this case solely using their powers under the Data Protection Act these individuals would have been faced with a small fine and would have been able to continue their activities the very next day. We must not delay in getting a custodial sentence in place for section 55 offences under the Data Protection Act.”
Indeed, because of the limited sentencing powers provided by the DPA, prosecutors may prefer to charge defendants with other offences which still deal with the criminality involved. For example, in R v Dickinson (Barry Saul) 2004 EWCA Crim 3525 the defendant obtained and disclosed personal data of individuals whilst working for the DVLA. He did so without the consent of the data controller, contrary to section 55 DPA. The information was disclosed to animal rights activists who used the data to harass certain individuals. The defendant pleaded guilty to one count of misconduct in public office.
In light of this established practice, clients ought to be advised that whilst on the face of the allegation the suitable charge is under section 55 DPA, punishable only by way of fine, they could also face different charges, such as misconduct in public office or fraud, which provide the court with much greater sentencing powers.
It may be that the source in the current scandal will never be found, but it would come as no surprise if instances such as this become more frequent and if so it may be time for the government to consider altering the courts sentencing powers for data protection offences.
Blog | 19 Apr 16