The Justice Select Committee has called upon the government to introduce jail terms for breaches of the Data Protection Act (DPA).
The current fines for such offences are inadequate deterrents because the financial rewards for illegal behaviour are so great, the committee says in a new report, which highlights the limitations in the powers of the Information Commissioner in investigating abuses of personal data.
In one case study, a nurse was providing patient details to her partner who worked for an accident management company. A fine was imposed of £150 per offence, but accident management companies pay up to £900 for one client's details.
Sir Alan Beith, the chair of the Justice Committee said magistrates and judges need to be able to hand out custodial sentences when serious misuses of personal information come to light.
"Parliament has provided that power, but ministers have not yet brought it into force - they must do so," he said.
Potential misuses of personal data are also not being fully investigated, the committee warns, because the Information Commissioner does not have the power to compel private sector organisations to undergo information audits.
If the Commissioner had been able to compel audits of insurance companies and personal injury lawyers the issues around referral fees might have been identified and tackled sooner, the report says.
"The Information Commissioner's lack of inspection power is limiting his ability to identify problems or investigate potential data abuses. Ministers must examine how to enable the commissioner to investigate properly without increasing the regulatory burden on business or the public sector," said Beith.
The report concludes that custodial sentences for breaches of Section 55 of the Data Protection Act, would increase the deterrent and reduce the financial incentives for such offences.
Without the ability to hand out significant fines that outweigh the often lucrative rewards of such offences, there is little to put people off committing these crimes in terms of punishment, says Nick Lowe, vice president of Sales EMEA at identity management firm Cyber-Ark.
"For those incidents that violate the most personal of information, stronger penalties must be brought in; and it will be interesting to see if this goes as far as jail time," he says.
If organisations are to protect themselves and those whose information they store, said Lowe, they must assume responsibility and implement the right technologies to manage privilege properly; providing individuals with access only to the information and systems that meet their job requirements, while also recording and logging all privileged access and activities.
"By doing so, not only will the risk of privilege abuse be mitigated, but, if there is an incident, it can be quickly traced and the guilty party can be easily identified," he said.