Not now, Brian, we’re busy

Imagine that you are employed by a mobile phone network. Somebody working for a claims management firm approaches you, offering a large sum of money to steal the customer database, especially the mobile numbers. They want to send PPI claim text messages to all of the people on the list. You download the customer data, sell it, and pocket the proceeds. Having got it, you decide to sell the list to a rival mobile company. You put the information on a disc, and flog it on eBay. The people who send the PPI texts could receive a Civil Monetary Penalty of up to £500,000 as they do not have consent. But even if you are caught and prosecuted, the worst that can happen is to the thief is a maximum £5000 fine. The offence is not recordable, so you will not end up with a criminal record. The chances of being caught are slim, but the deterrent is even smaller.

Imagine if the government had long ago realised that the fines were not enough, and had taken the trouble to amend the law to punish white-collar data thieves with up to two years in jail. But around the time the law was being changed, the Prime Minister of the day met with representatives of a special interest group. Despite the fact that the new punishment was not intended to affect this group and detailed measures had been taken to protect them, the lobbyists were not satisfied, and they demanded that the prison sentence be held back. Even though the chances of their industry being affected by the change were very small, they could not accept even the slightest possibility that any one of their number could even face the possibility of a night in a cell.

If anyone else had held the country to ransom and prevented changes to a law that were entirely in the public interest, the press would be up in arms, pointing the finger with relish. If unions, lawyers, doctors or social workers – indeed, any regulated profession or group – expected crimes to have puny, worthless punishments just in case one of their own was imperilled, the Daily Mail would shout their condemnation from the highest rooftop.

And yet, we have to swallow special pleading from journalists in the name of press freedom, and live with a rampant black market in personal data as a consequence. The Information Commissioner is obviously desperate to tackle it, but the results in court are often ludicrous. The man who received stolen medical data from his girlfriend to use for personal injury claims was fined £1050. He memorably boasted after the verdict We’re going to Bella Italia after this and I’m having a fillet steak. A bank worker stole information from her employer about the victim of a sex attack committed by her husband. Her punishment was an £800 fine. Whatever you think about the publication of the BNP member address list, a fine of £200 for endangering life (and probably risking mass misidentification) is almost satire.

This is what any journalist who attacks the data theft prison sentence expects us all to tolerate for their safety. Gone is ‘publish and be damned’, to be replaced with ‘publish and be insulated from the consequences’. A number of Parliamentary committees have called for the sentence to be enabled, and the Information Commissioner himself is excoriating about a system where the punishments for data theft are so derisory. In the recent past, the constant refrain from Government has been wait for Leveson. We cannot pre-empt Leveson.

And now, Leveson has spoken, and regardless of what you think about the doomed suggestion of statutory underpinning and regulation, the data theft issue is very simple. Leveson argues for the prison sentence to be made live. When passed, the Data Protection Act contained a public interest defence for those accused of stealing data or procuring stolen data. When the last Labour Government recognised the failure of the current system and sought to introduce the prison sentence, they also amended the DPA further, making clear that all a journalist needs is a ‘reasonable belief’ that they are acting in the public interest to escape prosecution. Even though the prison sentence was not brought into force, this additional defence was.

At this point, before saying something contentious, the sensible writer includes a few sentences about how important they think press freedom and journalistic endeavour are. The secret hope of every blogger is probably that their sublime writing will catch the eye of a sympathetic editor and they will be catapulted from the amateur sphere and be given a weekly column, or at least a spot of freelance at the Guardian. Biting that hand that hasn’t even picked up the food is surely blogger suicide. But I can’t be arsed. I honestly don’t want to live in a country where journalists get locked up for doing good work, but I think I live in a country where newspapers can get mixed up in axe murders with impunity, so I doubt that Fleet Street will crumble if I fail to invoke the spirit of Voltaire before suggesting something that hacks might see as a check on their activities. They have David Cameron, Michael Gove and Boris Johnson and that’s all they need.

Besides, I come to exempt journalists, not to bury them. I think that the only solution to the data theft problem is to remove journalists from the equation. Lord Justice Leveson proposes significant amendments to the S32 exemption from DPA, which currently allows those processing personal data for journalistic, artistic and literary purposes to escape virtually all of the Data Protection principles as long as this is ‘necessary’. I think Sir Brian’s ideas don’t address the bigger picture, and should be binned. The press will never support any infringement of their liberties, whatever the justification, and some papers will monster anyone who supports such a plan. Meanwhile, the possibility of a prison sentence is likely to have a much better deterrent effect on office workers, nurses and cops tempted to steal or suborn others to steal personal data than a paltry fine and no record. If newspapers feel that they face this threat too, scaremongering about investigative journalists (rather than phone hackers and dumpster divers) ending up behind bars for speaking truth to power (rather than figuratively or actually smelling celebrity knickers) will continue its harmful knock-on effect.

S28 of the Data Protection Act gives those using personal data for the purposes of national security a total exemption from its requirements. Rather than continue to have the debate on data theft railroaded by a sideshow that is becoming increasingly sanctimonious, let’s extend that approach to journalists. Give them a ‘get out of jail free card’ and stop our personal data from being plundered everywhere else.

Carry On Motorman

My next blog post was supposed to be something a bit different, but I’m waiting for someone to respond to a complaint I’ve made before completing it. In the meantime, all I have is more Motorman ICO material. The muddle over the legal advice I wanted that they didn’t have and the legal advice they did have that they thought I didn’t want (and it turns out, could only have a bit of) is now parked in the ICO’s FOI complaints queue. I doubt there will be any appetite to expedite it, but I can wait.

But this week, a few more morsels bobbed to the surface. Thanks to the Independent, we know that in September 2011, the Information Commissioner personally reported Alec Owens, the ICO former investigator, to the police over the fact that he had copies of the Operation Motorman files. Owens had just made embarrassingly plausible allegations in the Independent that the ICO didn’t have the stomach to take on the press when they discovered the extent of blagging and hacking, and I don’t need to make a snide insinuation about the IC’s motives for shopping Owens, because Paul Farrelly MP has already put the boot in:

The knock on the door from police can only be interpreted as a counter-productive, cack-handed attempt to put the frighteners on before testimony in the public interest to the Leveson inquiry … Given [the committee’s] unsatisfactory experience with the ICO, nothing, frankly, would surprise me, but using the police in this way is a total misuse of resources and power


After the reports of the raid on Owens’ house, I made an FOI request to the Commissioner to find out more. Back then, it wasn’t clear who had dobbed Owens in, though the ICO seemed the obvious candidate.

This is some of what I asked for:

1)               The story [ about the raid on Owens’ house ] states that police were acting on “information received”. Did this information come from the Information Commissioner’s Office?

The first FOI response refused to confirm or deny any on the basis of the S40 Data Protection exemption. I don’t know whether it was Owens’ or (it turns out) Chris Graham’s data that was being protected, but I didn’t understand the response, so I asked for an internal review. Graham Smith, Deputy Commissioner, responded to my internal review last month, and he managed to make things worse. Smith’s response included this:

Technically I think the refusal on the grounds stated was correct. It may also have been strictly accurate to say that the ICO did not hold recorded information which answered your question.

Nevertheless, reviewing the situation now and in the light of information which has since come into the public domain, I can now answer your question by saying that in relation to matters referred to in the newspaper article, the police were acting on information which came from the ICO.

So on January 17th 2012, the ICO’s position was that when I originally asked about this in November 2011, they should have said that they had no recorded information about whether the ICO tipped off the police. However, Chris Graham confirmed in a letter to the Independent that he reported Owens to the Police in September 2011. For the ‘no info’ story to be true, Chris Graham would need to have acted in a personal capacity or alternatively dialled 999 and wrote nothing down. Is it entirely implausible to suggest that both the initial response and internal review were disingenuous i.e. neither respondent wanted to point the finger at the boss? Or that the first response was based on an inadequate search? Or am I just paranoid?

You can argue that Chris Graham was entitled to report Owens (his letter to the Independent certainly does), but that doesn’t explain the Alice in Wonderland FOI responses. It also doesn’t explain why he bothered to report Owens when one of the defences against a S55 offence is the public interest. As he said to the Independent, Owens believes he has such a defence, and his use of the Motorman evidence (however obtained) has been to raise issues of public concern. Even if you think Owens is motivated by a desire to stick it to his former employer (imagine that), it doesn’t take a genius to see that the case would go nowhere – and Cheshire Police have confirmed to the Indie that Alec Owens faces no further action.

I’ve got three problems now. This is the second time I have made an FOI request to the ICO, got an initially bewildering response which has been rendered even more bizarre when I asked for an internal review. The evidence of What Do They Know and anecdotes from other applicants suggest that the ICO’s approach to its own FOI requests is troubling. They cannot be a credible FOI regulator if their FOI practice is not on a par with the best of the public sector. The HSE cannot have its staff falling off ladders. I have trained quite a few organisations recently who do FOI with more clarity and understanding than the Commissioner’s Office, and the folk in Wilmslow should take a look in the mirror before writing any more preachy FOI press releases. Their new FOI guidance is really nice; I know they wrote it, but have they read it?

Second problem: one of the other questions I raised in my FOI was this:

What action is the Information Commissioner’s Office taking in response to this apparent breach of the Seventh Data Protection principle? Will the ICO’s own procedures be investigated?

The answer to that one was straightforward: “We can confirm that no recorded information is held.” In plain English, no. An employee apparently takes a huge amount of information – so huge that the ICO is currently and I imagine legitimately refusing to trawl through to satisfy hacking-obsessed MPs on the grounds of the massive effort it would require. The information includes the personal details of hundreds of innocent people. And yet, both as a responsible Data Controller and as the Data Protection Regulator, the Information Commissioner told me that they are not investigating the incident. Who cares if it was a historic event, just imagine what they would do if anyone else was guilty of such complacency? An NHS body on the South Coast is complaining about a proposed ICO civil monetary penalty that they think should be treated as a theft but the ICO is treating as 7th principle breach, so we know that the ICO is willing and able to distinguish between the two. Does Chris Graham believe other Data Controllers do not need to investigate breaches of this magnitude when they come to light because they’re historic? If so, he should say so openly.

And there’s my final problem. As an outsider, I think Operation Motorman looks like a diligent and through investigation undone by a failure of nerve on behalf of Richard Thomas and his Deputy. It is a matter of public record that both men dispute this, but Thomas’ own Leveson testimony convinced me that he didn’t want to go after Fleet Street. But this isn’t Christopher Graham’s problem. He has to deal with phone hacking and its repercussions now and he should be allowed to protect current ICO staff who were around at the time from unfair criticism. The ICO has sometimes looked like a proxy for politicians and journalists to monster because they can only get hold of members of the Murdoch family occasionally. And to be fair, the current holier-than-thou attitude of some MPs is sick-making when you consider that nothing that the Motorman-era Commissioner’s Office could have done would have had the same effect as political leaders of all persuasions not acting like Rupert Murdoch’s handmaidens.

However, the current Commissioner should not let his predecessor’s decisions (or lack of them) become an albatross around his neck. To ask for Owens to be investigated without finding out how he could have taken the data looks like spiteful doublethink. The inelegant and defensive FOI responses I’ve received only make matters worse. We need a bit of truth and reconciliation here, but the truth should come first. The previous Commissioner dropped the ball after Motorman. Alec Owens is entitled to be treated as a whistle-blower, not a criminal. If it was a crime for him to have those records, he’s got a defence and it was surely a breach of the Seventh Data Protection principle for them to be accessible. The ICO should be allowed to move forward but only if they stop pretending that they haven’t put a foot wrong, and only if they show that as a public authority and data controller, they can walk the walk as well as talk the talk. Until that happens, annoying bloggers like me will be the least of their problems.

Today’s post is brought to you by the letters I, C and O

Previously on the 2040 Information Law Blog…
Last September, a former Investigator from the Information Commissioner’s office (subsequently identified as Alec Owens) gave an interview to the Independent, in which he condemned his erstwhile employer for bottling the decision to prosecute journalists who had employed the private investigator Steve Whittamore. The Deputy Information Commissioner, David Smith, refuted Owens’ claims, stating that the ICO received legal advice that the journalists could not successfully be prosecuted. I requested the advice, and the ICO’s response was that it was not held. Shortly after, the ICO supplied legal advice – which included a consideration of issues around prosecuting journalists – to the Leveson enquiry. I asked for an internal review because, to paraphrase, they appeared to be taking the piss.
And now…
Before I continue, gentle reader, let us dally for a moment with a document called ‘Not what we do, but how we do it’. You can find it here, and it describes the values by which all ICO staff should do their job. I’ve mentioned it before, but I don’t think it’s as widely known as it deserves to be. Ernest Hemingway said that every writer needs a built-in bullshit detector. I read page 8 of this document, and my detector nearly gave me a hernia. The Information Commissioner’s Office is supposed to be a ‘model of best practice’. ICO Staff are exhorted not to “ask others to do what we are not prepared to do ourselves”. The ICO expects to be judged by high standards. Please keep this in mind as we proceed.


Last Friday, slightly later than advertised, I received my review response from the other Deputy Commissioner, Mr Graham Smith. Graham was my boss once, but if he recalls what a [expletive deleted] I was at the time, he shows no sign of it.


The apparent contradiction is explained. The advice I asked for, the one David Smith cited, has been disposed of. Graham offers me no explanation why. The explanation of why it was highlighted in the Independent is that David Smith used ‘What Price Privacy’ as a guide for what the advice said. The ICO is not obliged to adopt permanent contextualisation, but Smith’s statement would carry less weight had he said “According to ‘What Price Privacy’, we got some advice that we didn’t keep”. None of this makes the ICO’s statement to the Independent untrue. But I wasn’t convinced by that statement in the first place, hence my FOI request. Take a wild stab in the dark about what I think now.


So what about the other advice, the one supplied to Leveson? Even though he thinks it was irrelevant to my original request, Graham gave me the section of it mentioning journalists, with the other seven pages of advice redacted into inky blackness. Needless to say, the disclosed section isn’t a smoking gun that greenlights a smackdown on hacks, but riddle me this: the advice I received says “I understand that policy considerations have led to the view that enforcement of some sort, rather than prosecution is the way forward”. He even asks for the reasoning not to prosecute. So why did the second lawyer engaged by the ICO think it was a policy matter, when statements given to the Independent cite legal issues based on the first advice?


According to the internal review, the initial search identified this second piece of legal advice. My request clearly was for the advice that David Smith quoted in his statement to the Independent. So if you want to be bloody-minded (and when I was an FOI officer, bloody-minded was my middle name), the fact that the ICO identified advice about prosecuting journalists implicated in Operation Motorman during a search for advice about prosecuting journalists implicated in Operation Motorman is irrelevant, because it wasn’t the advice about prosecuting journalists implicated in Operation Motorman I had asked for. But given what this second piece of advice says, I think I can be forgiven for being cynical about why I didn’t get it.


Moreover, the initial FOI response says this: “In response to your request, we do not hold recorded information in relation to this request. We do not hold a written legal advice in relation to the decision not to prosecute the journalists involved in Operation Motorman.” (in other words, they don’t say ‘the legal advice you asked for’). If Graham Smith’s internal review is correct, the initial response was not. This should be of concern to the ICO and everyone they regulate, even if the only problem is that the initial response was imperfectly expressed.


Nobody can ask for an FOI search to include things that the punter hasn’t asked for; my point is that this search turned up something of clear, direct relevance to my request. It seems eccentric to the point of obfuscation not to mention it to me. Friends, my advice is to be as helpful as is practical because (a) that’s clearly in the spirit of the legislation and (b) it’ll almost certainly save you work in the long run. But I wouldn’t advise you to ask for clarification after 14 working days and then start the clock from then, and the ICO did that to me as well. The ICO seems to think that you can take a totally unimaginative reading of the request and ignore anything else, no matter how relevant it might be.


And here’s another thing. The ICO, like all public authorities, is under a duty to provide applicants with advice and assistance. In Graham Smith’s view, the ICO was under no obligation to advise or assist me by telling me even though what I had asked for was no longer held, a closely related document had been found. And no advice or assistance was required to explain where the advice I asked for has gone. The internal review did not accept any requirement to provide advice and assistance about anything.


So what’s my point? Well, I have two of them. Alec Owens accused the ICO of lacking the guts to take on Fleet Street. I believe him now. In another FOI internal review, Graham Smith confirmed to me that the police raid on Owen’s home shortly before his Leveson appearance followed a tipoff from someone at the ICO. Make of that what you will, but Owens’ allegations back up the fact that the ICO has a flimsy track record with big targets: the secret Phorm trials involving BT and the Wi-Fi scraping that Google originally said hadn’t happened are two good examples (if you think an undertaking counts, you’re reading the wrong blog). Even the current wave of fines – for which the ICO deserves credit – is directed only at self-reported public sector targets that largely won’t fight back. Until the ICO fines a big bank or utility company for a DPA breach, or issues an FOI enforcement notice to a central Government department, I see a credibility gap. I don’t believe that the only DP and FOI villains in the UK are Councils, NHS Trusts and similarly local organisations, but only they have anything to fear from the Commissioner right now.


And the other point? I think the ICO’s handling of its own FOI requests needs attention. The first response to my advice request was inadequate and possibly inaccurate – the lack of advice and assistance was abysmal. A glance at the last couple of months of What do they know shows that the ICO has refused to admit which of its senior officers have had training and coaching and which hold its own chosen DP qualification (both overturned on appeal). An applicant asked directly whether the ICO had accidentally disclosed information, and the answer managed to evade the key question almost completely. And just this week, they released a heavily edited version of their security incident log with two entries completely obscured. You can imagine the scorn if this litany of clodhopping decisions were in the ICO’s sights, rather than being made in their building.


The Information Commissioner’s Office can’t have it both ways – either they are a model of best practice (in which case, act like it), or they’re just another FOI public authority (in which case, cut the propaganda). Right now, if “it’s not what we do but how we do it”, then ‘we’ ought to be thoroughly ashamed of ourselves.  

Yes! We have no Bananas!

A few weeks ago, the Independent had a good splash over comments made by an insider in Operation Motorman, the ICO’s investigation into private investigators that started a ball rolling very slowly toward this summer’s phone hacking furore, and the remarkable humbling of Rupert Murdoch. In particular, the Independent’s source claimed that the ICO had bottled it, backing away from prosecuting those implicated in wrongdoing because they were afraid of the consequences of prosecuting journalists.
Despite the fact that seasoned ICO watchers might give this story some credence (see previous blog posts for my views on their rather lame approach to enforcing the DPA) the Information Commissioner’s Office issued a stern retort, stating firmly that the decision not to prosecute was based on “expert legal advice”: http://tinyurl.com/64vwdyx
This is a sound reason not to take action. One might wish for a Commissioner with a Quixotic urge to tilt at every windmill, but it would be expensive and a little self-indulgent. However, I was curious to read the advice to find out if it was as definitive as the ICO implied, especially given the fact that reliance on legal advice had been such a feature of the phone hacking case (i.e. the disagreement between the Murdoch clan and their erstwhile lawyers Harbottle Lewis over what HB’s advice on phone hacking meant). So I made an FOI request for the expert legal advice.
It was entirely likely that the ICO would refuse, using a possible double whammy of Section 30 (investigations) and Section 42 (legal privilege), but I thought I had a serious case of public interest on my side. Moreover, if they said no, this opened up the tantalising possibility of finally being the applicant in a worthwhile and challenging FOI case, with the added bonus that the public authority is one who will never pay me for training or consultancy (it’s bad policy to add to the workloads of potential customers, in my opinion).
So imagine my anticipation when the response finally arrived. They say yes, and I have a really interesting piece of information; they say no, and I can challenge them on the public interest. Given the gritty certainty of the ICO statement, there was only one outcome I had not foreseen despite the fact that I tell everyone I train that it’s the easiest answer in FOI, as long as it’s true: the advice is not held.
Readers of this blog (all four of you) may by now be inured to my ICO bashing, but frankly, I’m staggered. Are we to believe that the advice was received verbally, and never written down? I’m making an assumption that the advice was held, and has either been lost or destroyed. Either possibility is shocking.

The importance of the information is underlined by the way in which the Deputy Commissioner David Smith used it last month to defend the Commissioner’s Office from serious accusations. I’m not questioning anyone’s memory of what it said, but that’s a slender thread on which to hang a very weighty matter. I’ve put in a follow-up request, asking them to confirm whether or not it has been destroyed, but frankly, that’s a sideshow. I can just imagine the withering ‘Other Matters’ section of the decision notice that the ICO would take pleasure in writing if some other body was asked for such a pivotal piece of legal advice, with barbed remarks about records management. I still want to defend the ICO from people who want to abolish it, but frankly, they don’t exactly make it easy. The next time they criticise someone else for the quality of the record keeping, we should all take it with a pinch of salt.

Below is the response, including my request and their response. I’ve cut the review procedures and other elements, but left in all of their substantive response:

“Dear Mr Turner
Further to our acknowledgement dated 15 September 2011 we are now in a position to respond to your request for information under the Freedom of Information Act.

In your email dated 15 September 2011 you requested the following information:

In the Independent this morning, David Smith made the following statement.
“Our decision was based on expert legal advice that pursuing prosecutions would not be in the public interest, because of the difficulty in proving beyond all reasonable doubt that the journalists who received information from Mr Whittamore knew it could only be obtained illegally.”
I would like to request a copy of the legal advice Mr Smith refers to here. I assume you will consider the application of Section 42. Please take into account the following factors – Mr Smith has revealed the content of the legal advice, and disclosure of it is vital in terms of the public interest. The nature of the advice would assist in revealing whether allegations made in the Independent by a former ICO employee about the reasons for non-prosecution of journalists have any foundation.
In response to your request, we do not hold recorded information in relation to this request. We do not hold a written legal advice in relation to the decision not to prosecute the journalists involved in Operation Motorman.”


Is bottled water worth more than personal data?

Last month, a participant in the London riots was convicted of stealing £3.50 worth of bottled water, and sentenced to six months in prison. Another lad would have been jailed for the theft of £1 of chewing gum had he not been under 15. If either stole 100,000 people’s details and sold them, they could not have received a custodial sentence. A breach of the Data Protection Act’s s55 is not a recordable offence, so even a massive data theft would not show up on a CRB check, and would not have to be declared to employers. I think the strong legal reaction to the riots was justified. But we still live in a country where bottled water is valued more than people’s information.
How did we get in this position? A Heather Brooke article (http://tinyurl.com/5txarv5) about attempts to keep a lid on police leaks last week reminded me. Brooke made a compelling case for not cracking down on whistle-blowers, and to be concerned when the cops question journalists who are just doing their job. Even though I agree with Brooke here (not something that happens every day), previous stirring defences of journalistic freedom left us with the bottled water situation.
Think back to 2008, when the press saw off a proposal to jail data thieves in the Criminal Justice and Immigration Act 2008. The suggested new punishment had come about partly because of Clive Goodman’s phone hacking, and was closely associated with journalists. Donald Trelford alleged in the Independent that the proposed jail sentence could destroy investigative journalism and claimed it would make “Robert Mugabe nod in approval” (see http://tinyurl.com/6962776 for the full article).
Meanwhile, Daily Mail editor Paul Dacre’s rousing 2008 speech to the Society of Editors was widely reported because of his attack on the alleged amorality of Justice Eady. Read it here: http://tinyurl.com/6dpg5xa. The Mail Man upbraided Eady for frustrating the media’s moral obligations to report on cuckolding sportsmen and Max Mosley’s spanked arse. But Dacre also explained how Gordon Brown had leant an understanding ear to newspaper concerns about the DP amendment, and put it on hold. When Dacre met with Brown to press his case, he was accompanied by none other than Les Hinton of News International fame. It would be bad manners to mention that the Daily Mail topped the list of organisations that used private investigators in the ICO’s ‘What Price Privacy’ report, because Dacre told Parliament in July that he has never countenanced hacking or blagging.
Data Protection has always included a strong public interest defence. You have an absolute defence, even if you steal data, as long as it is in the public interest. When Labour originally decided to upgrade the theft punishment to a two-year maximum jail term, they included specific public interest protections for journalists. We now know that, despite Trelford’s surprise in February 2011 that anyone was still interested in phone hacking, one national newspaper’s handling of private information was appalling enough to warrant some real change, even if it proves to have been isolated to the News of the World. And we should shift the focus off journalists to people who steal customer databases, private investigators who blag information, and police officers who take information from the Police National Computer.
It would require no more than a stroke of the pen to make the jail sentence live. But so far, nothing. Heather Brooke is right that democracies need whistle-blowers and public-spirited leaks. We need journalists who plug away at difficult stories, free of intimidation and supported by the law. We should listen to journalists when they are being pressured by the establishment. However, independent media scrutiny must not prevent adequate penalties for data thieves – a healthy society needs both. People who steal data for profit should go to prison. Two people were prosecuted in June in the magistrate’s court, but despite the ICO’s efforts, they only got fines and I bet they turned a profit on the deal.
Unless / until Mr Cameron does what Mr Brown wouldn’t, or Lord Leveson comes to the conclusion that phone hacking is the final final straw, I have a modest proposal for the Information Commissioner. Chris Graham has made a consistent case for the jail sentence, mentioning it at every opportunity. Until someone listens to him, he has an alternative. Why doesn’t he show the value of personal data by fining people who steal it? The theft of data is a breach of the first data protection principle, as it is neither fair nor done according to the DP conditions. Theft is also a breach of the second principle (you wouldn’t send a notification to the Commissioner saying ‘I steal data and then I sell it’). It’s not what the monetary penalties were designed for, but we live in a topsy-turvy world. The courts have already sent a message to rioters – Graham should send his own to both politicians and blaggers.