In an interview with Bloomberg the Information Commissioner Christopher Graham once again calls for prison sentences as a deterrent for those who make use of stolen personal data.
I don't disagree with his aims, nor his observation of the general lack of respect for personal data. But I take issue with his quoted assertion:
"Unless people realize they can go to prison, it seems like a victimless crime"I take serious issue with a policy that would send the likes of journalists to prison for exploiting weaknesses in the security of organisations entrusted with our personal data.
It smacks of an attempt to provide a false sense of security, making it illegal to exploit a loophole; papering over the gaping data leak and allowing serious and organised criminals to continue to exploit such loopholes until they get caught.
Is jail always a deterrent?
The Information Commissioner himself seems aware that journalists aren't the largest consumers of black-market personal data:
"While most violations aren’t done by journalists, the newspapers were the ones who objected the loudest, Graham said"Jail is not a deterrent to one group - criminals - who already have a thirst for personal data; to facilitate ID theft, bank and credit card fraud.
If there's a product, and a demand, someone will be willing to run the risk of supplying the product. Jail is just part of the value equation; see the US prohibition years, and the ongoing and failing war on drugs - where the link between jail terms and cost of product on the street is incomprehensible.
Seemingly jail did not work as a deterrent for police employees, where already there are criminal penalties - the common law offence of misconduct in a public office. Only 98 police employees ended up leaving their employment from over 900 staff caught and disciplined for misusing official databases. Only a handful of these were prosecuted.
The ICO's use of existing powers
We have the public official tasked with overseeing the nation's data protection, and the best he can do is bemoan the lack of criminal sanctions for an offence which is somewhat isolated from the problem of data leaking from corporations.
The ICO already, now, has the power to fine companies up to £500,000 per offence under the Data Protection Act. Should the ICO not be stepping up enforcement - or maybe asking for a better enforcement budget - rather than jumping on an anti-journalism bandwagon?
I'd like to see the information commissioner making the link between consumer trust, brand strength and data protection. A massive data loss could have a massive long-term impact on corporate revenues. The ICO already has a significant power in being able to publicly shame corporations with lax data security.
Also worth nothing are the legal obligations already on any board of directors to act in the interests of shareholders; namely the success of the company, noting the catastrophic brand damage that can occur from data breaches.
Half-a-million pound fines aside, in the near future any board which fails to implement effective data protection regimes could find itself answering to shareholders and stock market regulators.
Data leaks need to be stemmed at source
Corporations need to face up to their legal obligations and improve their respect for the personal data entrusted to them. Shooting the messenger does nothing to reform the delinquent organisations who don't at the moment see any incentive to enforcing information security at an organisational level.
Systems need to be designed with privacy in mind. Organisations must have a financial incentive to care; e.g. by partitioning large databases of personal information so no one operative has access to every record; or, by incorporating audit trails to see who accessed what, when and why.
Corporations should be seen as negligent if they don't utilise this audit trail to pro-actively police their own data stores, e.g. to detect anomalies, such as call centre operatives accessing more records that they have taken calls in a day, etc.
And, crucially, they must fire staff who abuse trust.
In defence of journalism
Public emotions are running high, with the scale of press intrusion being a long-smouldering issue; the recent News International revelations being just the catalyst for the recent explosion.
But shooting the messenger here is both dangerous and likely to have little effect on the root cause of data leaks.
Yes, some journalists have overstepped the line - by a long, long way. But so have professionals in every organisation. Corporate corruption (Enron etc) (with complicity from accountants), solicitors (ACS:Law), MPs (expenses), peers (perjury), police officers, etc.
Does anyone remember another press controversy only a few months earlier? Super-injunction, anyone?
There are serious free speech and practical issues with any attempt to control information once it has leaked.
Journalism is no worse than any other profession, and arguably better than the average.
I trust most journalists more than most MPs. After all, the connection between a newspaper and the public is far stronger and much more direct than the bond which ties the government to the electorate in elections once every 4-5 years. The public has a direct hold on newspapers. They need our "vote" each week, in selling their papers and getting advertisers on board, etc. The dramatic end of the News of the World was stark evidence of this.
On the premise that transparency is good,as it goes a long way to keeping organisations in check, newspapers must win hands down as the most transparent organisations around. 95% of the information that passes through them ends up in the public domain, either through publication or journalists' gossip.
Journalists actively want to tell the story. Even when an organisation tries to keep certain details out of the public domain, journalists have shown a tenacity in getting the information out.
Jail, a deterrent? Maybe it will deter many professional journalists who, despite the recent scandals, are usually right-minded folks who act on the side of the public. But it won't fix the problem.