§ The Earl of Northeskasked Her Majesty's Government:
How many prosecutions, sorted by category of offence, there have been for breaches of the Data Protection Act 1998 in each year since the legislation came into force; and what was the average fine for each category of offence in each year. [HL6275]
§ The Parliamentary Secretary, Lord Chancellor's Department (Baroness Scotland of Asthal):Wales and Northern Ireland proceedings for a criminal offence under the Data Protection Act 1988 can be commenced by the Information Commissioner or by, or with the consent of, the Director of Public Prosecutions in England and Wales (or in Northern Ireland the Director of Public Prosecutions for Northern Ireland.) In Scotland, criminal proceedings are brought by the Procurator Fiscal. The only readily available information relates to proceedings brought by, or with the knowledge of, the Information Commissioner.
I understand that the commissioner has brought three such proceedings under the Act since it came into force on 1 March 2000 and convictions were achieved in all three. The cases were all heard in 2002. All involved offences under Section 55 of the Act (unlawful obtaining etc of personal data). Convictions were obtained for a total of 12 offences; five for obtaining; three for selling; three for attempting to obtain; and one for disclosing personal data unlawfully. The average fine imposed was £200.
In addition, in one of the cases, a conviction was obtained for failure to notify under Section 21(1) of the Act. The fine imposed was £250.
There have been no criminal proceedings commenced by the Procurator Fiscal under the Data Protection Act 1998.