The UK government is toughening its stance against thieves who steal personal data by applying a sentence of up to two years in prison.

Data thieves had previously faced only a fine under the 1998 Data Protection Act, but they could now face a six months' sentence for a summary conviction and up to two years for a conviction on indictment. 

But IT security experts have questioned whether the new tougher stance will be carried through in the courts.

"These crimes are serious and, in some cases, a jail sentence is more appropriate than a fine," Graham Cluley, consultant at IT security firm Sophos, told vnunet.com.
"However, as the UK government seems to have been issuing guidance to judges to minimise the number of people being sent to British prisons, we will have to wait and see whether this results in more criminals behind bars."

The UK Department for Constitutional Affairs claimed that the changes were particularly designed to stop private investigators obtaining information illegally. 

"People have a right to have their privacy protected from those who would deliberately misuse it, and I believe the introduction of custodial penalties will be an effective deterrent to those who seek to procure or wilfully abuse personal data," said Lord Falconer, Secretary of State for Constitutional Affairs.

Cluley added that the change in law is timely, as the amount of data held about individuals on company networks increased the temptation and opportunities for criminal workers to steal it.

"Cases have been reported, for instance, of employees stealing confidential customer information from call centres that they are working in and then using the stolen data for identity fraud," he said.