Council ICT staff guilty of malicious data breaches should be sent to prison, according to a personal data campaign group.

The group, Big Brother Watch, released a report this morning saying that despite more than 400 instances of theft between April 2011 and April 2014, just a single person faced criminal sanctions and only 50 have been dismissed.

It called on the government to trigger an unimplemented clause in the 2008 Criminal Justice and Immigration Act allowing ministers to impose sentences for the selling or theft of personal data.

“Judges presented with serious data breaches should be able to hand out custodial sentences if the perpetrator is found guilty of a serious breach,” the report said.

“Enacting this small piece of legislation would show that the government is serious about safeguarding the privacy of individuals.”

Giving guilty parties a criminal record could prevent them getting future jobs in organisations dealing with highly sensitive data, the campaigners said.

The provisions of the act do not apply to accidental data breaches by staff – only if they are found guilty of selling the information.

The report also found that different councils record data breaches differently, and called for a standard method to be developed.

It said: “According to our findings, 167 (38%) of all local authorities reported no data breaches between 2011 and 2014.

“It is probable that local authorities are using different criteria to determine what is and what isn’t a breach. This is unhelpful.

“It creates a false impression of the scale of the problem and opens some local authorities (which may have stricter reporting criteria) to unfair criticism when compared to others.”