Go to jail, move directly to jail, and do not collect any personal data
Last week, the Information Commissioner’s Office (ICO) – the UK data protection authority – brought proceedings against a motor industry employee who had been accessing personal information from customers without permission. The resulting sentence was six months in prison.
The defendant in this case, Mr Mustafa Kasim, previously worked for Nationwide Accident Repair Services (NARS) and had been frequently using his colleagues’ log-in details to access a software system called Audatex which allowed him to access thousands of customer records without permission.
By accessing this system, Mr Kasim was able to gather customers’ names, phone numbers, and details regarding their vehicle and accident information. It was discovered that, even after leaving NARS to work for a competitor, Mr Kasim continued to use other employees’ details to access this information. This came to light after NARS noticed a significant increase in customer complaints regarding nuisance calls and contacted the ICO.
After considering the facts and circumstances of the case, the ICO chose not to prosecute the case in the usual way under the Data Protection Act 1998 or 2018, and instead chose to prosecute under Section 1 of the Computer Misuse Act 1990. Section 1 of this Act refers to causing a computer to perform a function with intent to secure access to any program or data held on that computer. It carries a custodial sentence of up to two years. This is the first time that the ICO has chosen to raise proceedings under legislation which carries a potential prison sentence, instead of under data protection legislation.
The ICO hopes that this action will act as a deterrent to those who try to obtain and disclose personal data without permission in the course of their employment. Demonstrating the severity of such cases, Mike Shaw, who is the Group Manager of the Criminal investigations Team at the ICO, commented that in this case the ICO had been “able to prosecute beyond data protection laws resulting in a tougher penalty to reflect the nature of the criminal behaviour.”
Additionally, in this case, confiscation proceedings under the Proceeds of Crime Act are already underway to recover any benefit obtained as a result of the offence from Mr Kasim.
This case demonstrates how seriously the ICO is taking such unlawful access and use of personal data and the lengths that they are willing to go to punish those who try to unlawfully take advantage of personal data. It is important that companies and employees take notice of the results in this case and ensure the protection of the data that they hold. If not, it might not just be money that you lose, but time when you are behind bars.
This article was co-authored by Jennifer Dool.