If you are employed in the public sector, you can forget about offences under the Data Protection Act if there is deliberate misuse of personal data.
In the absence of a custodial sentence, in more serious cases, prosecutors are increasingly opting for the blunt instrument that is the common law offence of "malfeasance in public office". The offence does not need "personal data" or a computer or even an official secret – all it needs is a public official to be caught deliberately doing the wrong thing.
The offence itself, because it is not based on statute, is not easily defined and perhaps this is why it is used. It gathers into one offence, a range of official misconducts, frauds, deceits, breaches of trust, and disclosures of information. "Malfeasance in public office" has two related cousins – "nonfeasance in public office" (eg a wilful neglect of duty) and "misfeasance in public office" (eg malicious exercise of official duty). The punishment for this offence comes with a potentially unlimited custodial sentence and unlimited fine. As with all common law issues, the penalty depends on the circumstances and this provides another reason why it is preferred.
The offence is a prosecutor's dream – the ultimate in flexibility. No need to argue that there was personal data involved, especially if manual records are involved. Note that the malfeasance offence avoids all sorts of side issues. For example for a local authority, unauthorised disclosure of details from Housing Records is an offence, but unauthorised disclosure of Housing Benefits files is not. Also, in serious cases, the Section 55 offence of the DPA is non-custodial; malfeasance can carry a significant jail term.
The law gets tough on 'malfeasors'
For example, in April 2007, James Andrew Hardy, a police officer who improperly accessed a police database and passed individuals' personal details on to a man with a violent criminal record had his jail term increased by the Court of Appeal to nine months, following an appeal by the Attorney General. He had been previously found guilty of the malfeasance offence but was given a suspended prison sentence of 28 weeks and 300 hours of community service.
In January 2005, special Constable Geraldine Tabor was fined £1,000 for malfeasance when she looked up the criminal records of fellow employees at the petrol station where she worked. Special constables are part-time volunteers and Tabor claimed she had looked up the details because she suspected one employee of stealing fuel and the other of stealing bags of chocolate oranges. By contrast, in 2004, a police computer operator in Gwent was only fined £400 under the Data Protection Act for using the police database to look up four of her friends because she was bored.
In October 2005, a vehicle registration official, Barry Saul Dickinson, gave drivers' addresses to animal rights activists and was jailed, courtesy of the malfeasance offence, for five months. According to the police at the time, "Dickinson accessed DVLA computer systems to look up people's registration numbers", and passed names and addresses to animal rights extremists.
In June 2007, a civilian police worker pleaded guilty to malfeasance in a public office by leaking confidential details on terrorism to a newspaper. Thomas Lund-Lack, 59, who was working in the Metropolitan Police's counter-terrorism unit, disclosed a document to a Sunday Times journalist because he was fed up with government policy. In this case, the further charge of breaching the Official Secrets Act was expected to be ordered to lie on file pending sentence. Just pause for a moment to reflect – if a prosecutor has to choose between malfeasance and Official Secrets, it is malfeasance which prevails.
All the above offences could have been brought under data protection, computer misuse or other legislation – all of which need some degree of technicality to overcome. For example, was the information in question actually personal data or stored on a computer? Malfeasance in public office does away with the technicalities. All it needs is evidence that someone misused their authority as a public official.
Public sector readers and contractors to the public sector should thus ensure that their training courses cover this offence.
We are running several sets of data protection courses next year. We are running the five-day intensive course in Edinburgh (beginning 24 February) and in Leeds (beginning 3 March). These courses cover the DP ISEB syllabus and prepare delegates for the examination in April 2011, although you do not need to be seeking the qualification to attend.
Our next FOI course starts in Manchester on 26th January. As with Data Protection, these courses cover the FOI ISEB syllabus for the examination in April 2011, although you do not need to be seeking the qualification to attend.
This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.