The Metropolitan Police knew that numerous mobile phones had been illegally hacked by private investigators but failed to alert the phones' owners, according to The Guardian newspaper. If so, the victims should have been told, a privacy expert has said.
The Guardian alleged this week that Rupert Murdoch's News Group newspapers paid out more than £1 million to settle legal cases that threatened to expose evidence of journalists using private investigators to hack into the private mobile phone messages of numerous public figures.
"The suppressed legal cases are linked to the jailing in January 2007 of News of the World reporter Clive Goodman for hacking into the mobile phones of three royal staff," it reports. It also adds that at that time, News Group newspapers' parent, News International, claimed that it knew of no other journalist involved in hacking phones.
It cites two unnamed sources in the Met, one of whom claims that officers found evidence of "two or three thousand" mobile phones having been hacked. The Guardian says that the Met failed to notify the owners of those phones and says that the evidence calls that failure into question.
Rosemary Jay, a data protection expert at Pinsent Masons, the law firm behind OUT-LAW.COM, said that if police knew the details of numerous hacked phones, they would have had a duty to notify the phones' owners.
The hacking of phones is a crime under the Regulation of Investigatory Powers Act 2000. According to Jay, police would have a duty under the Data Protection Act to notify the victims.
"If a crime has been committed in the way that is suggested and police knew the people affected, I think police would have a duty themselves under the Data Protection Act to notify the victims," she said. "That would have given them an opportunity at least to change their mobile phone numbers."
The Data Protection Act says that personal data must be processed fairly and lawfully. It also says that when personal data is obtained from someone other than the subject, the controller of that data must ensure that the subject is given some basic information about the circumstances of the data being obtained.
"This would not apply if telling individuals would entail a disproportionate effort, or in cases where the disclosure would prejudice the prevention or detection of crime," said Jay. "But I struggle to see how the police could rely on either of these justifications. Calling these people is neither laborious nor likely to hamper any investigation."
The Guardian also alleges unauthorised access to confidential databases, such as telephone accounts, bank records and the DVLA's vehicle database. That is an offence under section 55 of the Data Protection Act, but not one that can be punished by a custodial sentence.
In 2006, Information Commissioner Richard Thomas called for that to change, arguing that the 'blagging' of personal data had to be deterred. He said that the illegal buying and selling of personal information should carry a maximum penalty of two years' imprisonment.
The Criminal Justice and Immigration Act of 2008 provides for that custodial sentence, but the provision has never been brought into force.
"I expect that the new Commissioner, Christopher Graham, will call for that change on the back of today's allegations," said Jay.
"There is a defence to section 55 and the new amendment where the circumstances of the blagging can be justified as being in the public interest – but that will not justify fishing expeditions," she said. "Amid today's allegations that blagging was systematic, affecting thousands of individuals, there are unlikely to be more than a handful of cases that can be justified as being in the public interest."
A spokesman for the Information Commissioner's Office told OUT-LAW today: "Any changes to the law are of course a matter for the Ministry of Justice but the ICO continues to believe that custodial sentences are needed as an effective deterrent to those who might be tempted to take part in the unlawful trade in personal information."
"We will be watching the blagging market closely, will prosecute any case supported by evidence and will highlight future breaches of section 55 of the Data Protection Act to Ministers and to Parliament," the spokesman said.
Under RIPA, both the hacker of a mobile phone and those who commissioned the hacking would face the risk of prosecution. There is no public interest defence in that law.
The Met police declined to comment on the accuracy of the Guardian's allegations.
Copyright © 2009, OUT-LAW.com
OUT-LAW.COM is part of international law firm Pinsent Masons.