Among the many changes brought in by the Criminal Justice and Public Order Act 1994 (CJPOA) is an amendment to the criminal provisions of the Data Protection Act 1984 which so far has been little noticed but which may have a significant impact on some members of the profession.

The amendment is made by s.161 of the CJPOA, which came into force on 3 February 1995.

S.161 is aimed at curtailing unacceptable practices among those who procure information and as such will impact both on enquiry and tracing agents and those who employ their services.In some circumstances procuring information becomes a primary offence under the new provisions.

It therefore extends the possibility of criminality to a person who instructs the agent.

The solicitor who uses an agent to obtain information may now face the possibility of being affected by the actions of that agent.

Solicito rs will be concerned to ensure that they and their clients are able to employ tracing or enquiry agencies without running the risk of committing secondary offences of aiding, abetting, counselling or procuring breaches of the Data Protection Act.The amendment does not prohibit the work of tracing or enquiry agencies, but curtails practices which may be legitimately employed to obtain information.In November 1992 the Sunday Times commissioned enquiry agents to demonstrate how easily reports could be obtained on a number of prominent public figures.

The agents obtained credit card details, bank balances, bill payment information and mortgage arrangements, among other things.

Similar exercises have since been undertaken by both the TV and press to produce medical, employment and other records.

The 'revelations' that such information can be obtained have given rise to widely expressed concern at the accessibility of records which most people expect to be inaccessible.The methods which may be employed to obtain the information vary.

In some cases staff corruption may be involved.

Investigators may make use of contacts, whether for payment or otherwise.

However, in a substantial proportion of cases, the investigators appear to use telephone deception to acquire the information.The problem appears to be widespread and those who target organisations to obtain information are well organised and equipped.

They may even provide instruction manuals to teams of staff who are employed repeatedly to contact target organisations seeking to obtain information.There are no general figures available to measure the extent of the problem.

One of the few organisations prepared to be open about the scale of the problem, the Department of Social Security, carried out a survey over a three-month period in 1993, logging the number of known attempts to obtain information from their offices.

Over that period they logged over 500 unsuccessful attempts.

There are no figures available from commercial organisations but clearly the DSS figures indicate that this is a substantial activity.In his annual report in June 1993, the then data protection registrar, Eric Howe, expressed his concern both at the apparent ease with which information which might be expected to be confidential could be procured and the fact that the practices often employed to procure it fell outside the scope of regulation.

The registrar's concern was evoked because nowadays the source of information is usually a computer database of personal information.

The target organisations are broadly central government (eg the DSS) and local government (eg community charge registration sections), financial institutions (eg banks, building societies) and other large data users with extensive records (eg utility companies, the police).These are also the organisations which have enhanced the information environment of front line staff.

Information that might once have been inaccessible on a paper file in a back office is now held on networked computer systems and accessible to a wide range of staff simply by logging onto terminals on desks.

Both the number of points of access to information and the amount of detailed information available has multiplied enormously throughout organisations.

As all lawyers know, information is not property and cannot be stolen and the practice of obtaining information, whatever its nature, by deception is not a criminal offence.This was confirmed in the case of DPP v Withers [1974] 3 All ER in which the House of Lords ruled that the practice of obtaining info rmation by deception was not an offence known to the law.

In the Withers case four appellants had been charged with conspiracy to effect a public mischief.

The appellants ran an investigation agency which provided reports on the financial standing of third parties.

In order to obtain that information they deceived banks, building societies and others into providing it.

An example of the methods described in the case was of calling a branch of a bank pretending to be from another branch of the same bank which was authorised to receive the information.The House of Lords held that obtaining information by deception was not an offence known to the law and accordingly conspiracy to do it could not be an offence.In March 1994, the minister of state for the Home Office announced that the government intended to amend the law to make clear that a person who obtains information by deception is guilty of an offence.

In fact the present amendment was a response to one tabled in the Lords.

In July 1994, during the House of Lords' consideration of the new CJPOA, Lord Brightman moved an amendment which would have made the act of obtaining information by deception a criminal offence.

This would have created a general criminal offence relating to any kind of information however held.

The government rejected this amendment as being too wide and as raising similar concerns to those raised by the Lord Chancellor's paper on the infringement of privacy.

After some negotiation a compromise was reached whereby the perceived problem has been tackled by an amendment to the Data Protection Act.The nature of the amendment is somewhat technical, in that it is tied to data covered by the Data Protection Act and registrable under that Act.

However, given the increasingly pervasive use of computers to hold personal information its effects may still be far reaching and it has been welcomed by the current data protection registrar, Elizabeth France.

In practice, the target information will usually be held on computer and the target or data organisations will be registered data users.S.161 adds five new subsections to s.5 of the Data Protection Act.

To understand how the new provisions work it is necessary to grasp how the registration provisions of the Data Protection Act apply and the nature of the offences created by those provisions.Most solicitors will have already wrestled with the need to register under the Act and be familiar with the concepts, but a general explanation may be useful here.

Under s.4 of the Act, data users must register with the data protection registrar.

Data users are those who control the contents and use of personal data.

In simple terms the registration consists of:-- a description of the persons about whom data is held; for example, a solicitor's practice might register that it holds data about clients or students or employees;-- a description of the purpose for which that data is used; for example, a solicitor's practice might register that it uses the data for the provision of legal services and for personnel/employee relations;-- a description of the sources of the data; for example, a solicitor's practice might register police and clients as sources;-- a description of the persons to whom they will disclose the data; for example, a solicitor's practice might register courts and social workers as disclosees;-- a description of places overseas to which they may transfer the data.There are criminal sanctions for data users who act outside the terms of registration.

The offence provisions are contained in s.5 of the A ct.

It is an offence, knowingly or recklessly, to:-- hold or use personal data for an unregistered purpose;-- hold personal data of a type not described in the register;-- obtain personal data from a source not described in the register;-- disclose personal data to a person not described in the register;-- transfer personal data to a country not described in the register.

S.161 makes three substantive additions to this regime.

It makes it an offence:-- for a person to procure the disclosure of information to him knowing or having reason to believe that the disclosure is in breach of a registration;-- to sell information which he has procured;-- to offer for sale information which he has so procured or subsequently procures.Until 3 February 1995 it was not a primary offence to procure the disclosure of data.

Therefore, although the data user contravened the Data Protection Act if he or she was duped into providing information to someone not described in the register entry, the third party who acquired it by whatever means, whether corruption, connivance or deception, could only be liable for aiding, abetting, counselling or procuring the breach of the Act by the data user.

This led to the curious position that the only possibility of bringing charges against the perpetrator of the deception would be if the victim (the target organisation) could itself be charged with an offence.In cases of deception, of course, the victim would not be guilty of any offence as the disclosure, although unregistered, would not be made knowingly or recklessly.

In a successful deception (even if it was spotted after the event) there would be no primary offence and therefore no secondary offence.

In an unsuccessful attempt there could be no charge as no one can be charged with attempting to commit a secondary offence.

S.161 now closes that loophole.

S.5(6) provides that: 'A person who procures the disclosure to him of personal data, the disclosure of which is outside the terms of the data user's register entry, knowing or having reason to believe that the disclosure constitutes such a contravention, shall be guilty of an offence.'Although concerns were originally voiced over obtaining information by deception, the offence is not limited to deception only.

It will also impact on information procured from accomplices or contacts among staff.

It is an essential element of the actus reus of the new offence that there must be a disclosure of data from personal data held by a registered data user.

If a data user is exempt from registration, or not registered although he or she should be, there can be no actus reus.

The offence requires that the procurer knows or has reason to believe that the disclosure constitutes a contravention of the register entry.The disclosure must also be to someone not registered in the data user's register entry.

The data protection registrar has made some alterations to the way data users are able to describe disclosures in their registrations to make it clear that only authorised contacts are covered by the registration.

This arises because the registrar has been prepared until now to accept the registration of disclosures in fairly broad terms.

It has therefore been possible to register a category of disclosure described simply as 'debt collection/tracing agencies'.

As a result of the CJPOA amendment the registrar has been working with target organisations to agree a way of amending registrations to ensure that the disclosure description only covers those persons authorised by the data user.

From 1 April 1995, data users have been able to ask the registrar to amend their registrations to include the following wording: 'Under sources and disclosures the description below of the person or persons to whom the data user intends or may wish to disclose the data, is limited to those persons to whom the disclosures are made in accordance with the data user's practices and procedures, or otherwise with the authority of the data user.'Where an agent procures information by deception then the mens rea can be inferred from the fact of deception itself.

An agent who uses deception is unlikely to be able to argue convincingly to a court that he or she believed him or herself authorised to receive the information.

After all, if he or she did, there would have been no need for the deception.

In addition the nature of the approach, which is usually made to front line staff who have access to a terminal with a request to provide the information, would be sufficient to infer from that an awareness that the information was available on, and being produced from, a computer record.How does this affect the position of the solicitor who employs a tracing or enquiry agent to discover information in relation to a case? How comfortable can a solicitor be to find him or herself the recipient of information which suggests, by its very nature, that it has come from a source which would not be prepared to divulge it in response to a straightforward request? The answer may well not be very comfortable at all.

The solicitor who instructs an agent to find out information, for example, about the financial standing of a potential defendant, such information being to his or her knowledge information which is not freely available and would be unlikely to be given willingly, could be accused of counselling or procuring the offence of procuring the disclosure of data in contravention of s.5(6) of the Data Protection Act.It would be difficult for a solicitor to argue that he or she was completely unaware that banks are highly computerised and keep customer account details on computers.

Neither would it be particularly convincing for a solicitor to argue that he or she had no idea that banks have obligations of confidentiality to customers and do not provide information except under very limited circumstances.Some of these concerns about the use of agents have been taken on board by members of the Retail Credit Group.

This is a trade association of some of the biggest names in retailing, including the Burton Group, Dixons, Jaeger, Kingfisher, Marks and Spencer and House of Fraser.

They are ensuring in their contracts with collection and tracing agents that the Data Protection Act, as amended, is not breached during activities carried out on their behalf and that they do not receive information obtained in breach of the Act.

Solicitors might do well to adopt a similarly prudent course in their contracts with tracing and enquiry agents by the inclusion of a term stipulating that information should not be obtained in breach of the Data Protection Act and any information so obtained should not be passed to the solicitor.Solicitors will find that reputable agents will not have difficulty in accepting such a requirement and indeed are likely to welcome it as supporting their concerns to operate in an ethical manner.

Representatives of the Association of British Investigators have been in discussion with S.161 may well bring about a quiet revolution in the information market the registrar's office with a view to agreeing provisions in a code of conduct for their members, whic h would cover questions about the methods by which information is obtained by their members and make clear that unlawful methods should not be employed.While in the past it may occasionally have been tempting to instruct an agent to obtain information, for example, about a defendant's financial situation, without asking too many questions about how the agent came by the information, it would be prudent to avoid such temptations in the future.

The amended s.5 also contains two further offences.

S.5(7) provides that: 'A person who sells personal data shall be guilty of an offence if (in contravention of subs 6 above) he has procured the disclosure of data to him.'The tracing agent who procures information for sale will also be caught by this offence provision in the act of selling the information.

A solicitor may be guilty of aiding, abetting, counselling or procuring if he or she purchases information the sale of which is an offence under s.5(7), even if it can be argued that the initial actions in instructing the tracing agent were too remote from the act of procuring to amount to aiding or abetting an s.5(6) offence.

Once the information which has been procured in such a manner is sold to him or her the solicitor will clearly be aiding, abetting, counselling and procuring the sale, which is in itself an offence.

It is for this reason that it is suggested that solicitors include in the contract with the agent the requirement that any information obtained in breach of the Data Protection Act must not be passed to the solicitor.Where an agent offers to provide information which on the face of it could only have been obtained by some breach of confidence or underhand method it might be prudent for the solicitor to take the same care in handling it as would occur if somebody came into the office offering to sell (at an amazingly low price) brand new consumer goods which had fallen off the back of lorries.The third offence is contained in s.5(8) whereby: 'A person who offers to sell the personal data shall be guilty of an offence if, in contravention of subs (6) above, he has procured or subsequently procures the disclosure of the data to him.' Subs 9 provides that an advertisement indicating that personal data are or may be for sale is an offer to sell the data.

This provision is aimed at those agencies which openly advertise the provision of information from banks and building societies, for example, a leaflet offering to 'provide virtually unlimited access to all manner of supposedly confidential data'.Although s.161 is a small and so far largely unremarked provision it may well bring about a quiet revolution in the information market.

No doubt, there will be voices heard protesting that this change to the law makes it more difficult for honest clients to trace fraudsters or those who skip without paying their debts.

This is a concern which will be widely supported.

If there are pressures for the provision of information, however, they should be considered openly.One of the side effects of the change may be increasing pressure for wider availability of information about the financial standing of individuals, particularly in relation to court proceedings.

Until now we have had a covert market in information.

This amendment may be a significant step towards dealing with some of the information pressures in society.

It will not only change practices but should also widen the debate about the proper uses of information and the reasons for which access to information about others should be obtained.

As such it is welcomed by the registrar's office and one hopes it will be equally welcomed by the legal profession.