Andy Dean - Fotolia
Since taking over the role in 2009, Graham has campaigned for jail sentences of up to two years for rogue company employees who illegally sell confidential information.
Graham reiterated his call in response to Isleworth Crown Court fining a woman just £1,000 on 8 January 2016 for selling 28,000 customer records.
Sindy Nagra, 42, from Hayes sold almost 28,000 customer records of a car rental company for £5,000 to accident claims companies.
In addition to the fine, Nagra was ordered to pay a £100 victim surcharge and £864.40 prosecution costs.
Nagra was an administrative assistant at Enterprise Rent-A-Car, and was responsible for processing customer details sent to the car rental company by an insurance company.
The details – typically of people who had been involved in road traffic collisions – included details of the policyholder as well as details of their insurance claim.
Enterprise Rent-A-Car contacted the ICO after their systems identified Nagra was looking at a large number of records – including many she would not have been expected to process.
An investigation found Nagra, who worked from home, had been photographing the records while they were on her computer screen.
Nagra pleaded guilty to unlawfully obtaining, disclosing and selling personal data, a criminal offence under section 55 of the Data Protection Act.
Options for data offence deterrents
Currently, courts can issue unlimited fines for the offence, but not custodial sentences, which the information commissioner believes should be an option.
Graham said “nuisance call cowboys” and “claims market crooks” will pay people to steal personal data, but the fines that courts are issuing do not do enough to discourage would-be data thieves.
“This fine highlights the limited options the courts have. Sindy Nagra got £5,000 in cash in return for stealing thousands of people’s information. She lost her job when she was caught, and has no money to pay a fine, and the courts have to reflect that. But we’d like to see the courts given more options: suspended sentences, community service and even prison in the most serious cases,” said Graham.
“With so much concern about the security of data, it is more important than ever that the courts have at their disposal more effective deterrent penalties than just fines.
"People who break the criminal law by trading in other people's personal information need to know that they will be severely punished and could even go to prison. We’ve been pushing for this for some time. Parliament voted for it to happen more than seven years ago, but it remains on a Westminster backburner.
"It is high time that changed.”
The records were bought by Iheanyi Ihediwa, 39, from Manchester, who Nagra claimed had been introduced to her after he approached her husband in a pub. Ihediwa appeared before Manchester Magistrates’ Court on 17 December 2015, where he also pleaded guilty to section 55 offences.
Ihediwa was fined a total of £1,000, ordered to pay prosecution costs of £864.40 and a victim surcharge. The court also made a destruction order in respect to any data held by the defendant.
Low penalties devalue data offences
The ICO's campaign for jail terms goes back to a 2003 probe into a private investigator who used deception to obtain the private details of targeted individuals.
The probe found the private investigator had sold details to more than 300 journalists, including some at the News of the World.
In 2006, the ICO proposed a two-year prison term after investigating the sale of stolen personal data to journalists.
Then chief of the ICO, Richard Thomas, said low penalties devalue the offence in the public mind and mask the seriousness of the crime, but lawmakers failed to act in the face of press
In the wake of the phone-hacking scandal at the News of the World in 2011, Graham urged reforms in the hope that the idea of sending journalists to jail for using stolen data may find more support.