One of the common threads in discussions about Caredata and other large databases is the idea that there should be gaol terms for those that transgress. See, for example, Ben Goldacre's two columns on the topic in the Guardian.
I don't think that this can work, and I don't think it's an effective penalty. Worse, I think it's a distraction.
In the aftermath of the Herald of Free Enterprise disaster, there was a massive call for the introduction of an effective charge of Corporate Manslaughter. Such legislation has now been on the books for seven years. There have been very few prosecutions, even fewer convictions, and I believe (I would welcome correction) no gaol terms.
The problem is that the threshold to get over for showing that the company either sanctioned, or was reckless about, the behaviour that led to the death is extremely difficult. Courts are ill-placed to determine who said what to whom in corridors and meeting rooms, and the threshold of "beyond a reasonable doubt" means that lack of evidence is lack of conviction.
And at least in the case of health and safety (the main area where corporate manslaughter is likely to arise) there is widespread public awareness of the legislation, and the endpoint --- a corpse --- is fairly unambiguous.
That's not remotely the case in data protection. Firstly, the legislation surrounding data protection is not remotely unambiguous and there is very little case law. Actually demonstrating that an individual in senior management grossly breached, or was reckless as to the breach, will be virtually impossible. Consider Caredata today: ministers and senior directors are unable to agree on what was released, under what provisions, and what the law actually says. This would not even get over civil standards of proof, never mind criminal. Courts require a very high threshold to gaol people for acts committed as officers of companies, and this would not get close that level.
Secondly, if the claim were that it would deter individuals from misusing data they have access to, it would be even less effective. Courts will be very reluctant to support the contention that employees have a wide-ranging obligation to check the orders they are given by their employer for lawfulness except when the act is so manifestly unlawful as to fail the "reasonable man" test, or when the employee is a qualified professional being asked to knowingly breach their professional obligations (for example, an accountant being asked to file misleading accounts). Actually pinning down someone in the chain involved in releasing data who can be reasonably expected to realise that the act they were asked to commit was part of any unlawful scheme would be very difficult in a civil case; again, it is fanciful to think it would pass a "beyond a reasonable doubt" test. In the case of the release of HES information to the IFoA, assume for one moment that it actually is, in terms, illegal: where would you place the responsibility, and whom would you propose to prosecute?
It is possible that the threat might be useful against individuals who, of their own volition, access, release or otherwise mis-use data they are not entitled to handle in this way. However, that is where the "distraction" argument comes in. Data controllers should put in place controls and processes such that individuals cannot release data they are not entitled to. By having "oh, but they'll go to gaol" lying around as a rusty blunderbuss, a data controller can put in place inadequate controls and defend them with the argument that the staff are incentivised to behave by the threat of gaol. But that's true of frauds carried out by staff against either their employer or their employer's customers: it's straightforwardly illegal, and you can go to gaol. People still do it, because they (accurately) regard the risk of detection as low, the risk of prosecution as even lower (employers are very reluctant to admit to fraud in their operation) and the risk of serious sanction almost infinitesimal.
And in any event, none of this consoles the victims. If your medical record is leaked, that someone went to gaol does not get your privacy back. And until a significant number of people have been gaoled pour encourager les autres (ie, a significant number of offences have been committed) the threat is hollow anyway. So in the meantime, data controllers will deploy inadequate controls backed by implausible threats, and everything will go on much as it already does.
For sanctions to be effective, they have to be usable and deterring. Data protection failures are unlikely, other than in the most egregious cases, to leave a detailed enough trail to sustain a criminal prosecution, still less one ending in gaol time for individuals. It's a hollow threat, which makes the threatener look weak.
No, far more effective is a civil regime as follows:
As a data controller, you are responsible for the data you handle. If it leaks, you have have broken that responsibility. We do not care why it happened: you are responsible for implementing controls sufficient for the material at hand. After one leak of government-supplied data you will be subject to a one year suspension from the processing of any government-supplied data for any purpose, including existing contracts. This will probably bankrupt you. A second offence will result in a ten year ban, which will bankrupt you. If you have any doubts about your data protection regime, please seek advice from the ICO or CESG, who will be only too happy to help. Board, hear this: just as you are still liable to repay money to your customers that was stolen by rogue staff, yes, we are making you responsible for your staff. We are not joking.
This would also incentivise other staff to keep an eye on their colleagues: knowledge that everyone will lose their jobs in the event of a failure will focus everyone's minds wonderfully. The fear of this will put a massive premium on the willingness of private sector companies to take on risky contracts, which will make government much more careful about issuing them. Everyone wins.