20 Nov 2018

The Information Commissioner’s Office (“ICO”) has successfully prosecuted a motor industry employee, Mustafa Kasim, for theft of customers’ personal data from his previous employer. Mr Kasim pleaded guilty to the offence, which resulted in the first-ever (six month) prison sentence under the Computer Misuse Act 1990 (“CMA 1990”).

This is yet another example, like the recent Morrisons decision, where the courts are proving to take a tough stance against deliberate data protection breaches.

Mr Kasim, who worked for an accident repair firm (Nationwide Accident Repair Services (“NARS”)), used his former colleagues’ login details to access the personal data in a software system that estimates the cost of vehicle repairs, known as Audatex. The ICO claimed that he continued to do this after he started a new job at a different car repair organisation, which used the same software system. NARS contacted the ICO following an increase in customer complaints about nuisance calls and assisted the ICO with their investigation.

Use of tougher enforcement powers

This was a clear data protection issue and typically the ICO would prosecute such cases under the Data Protection Act 1998; the timing of the case rendered the General Data Protection Regulation inapplicable. However, the ICO instead decided to prosecute under s.1 of the CMA 1990 for the misuse of personal data on a computer. The rationale was that the offence under the CMA 1990 carries a custodial sentence of up to two years, and that this tougher penalty better reflected the nature and extent of the criminal behaviour in question.

In this particular case, the ICO stressed that the potential reputational damage for the targeted company was “immeasurable” given that the data in question was a “valuable commodity”. The ICO has confirmed following this decision that both NARS and Audatex have put appropriate technical and organisational measures in place to prevent any similar events.

What the future holds…

This decision sends a clear message to employees (and to some extent employers!) that the ICO will not hesitate to use the most effective and toughest of enforcement powers to prosecute those who obtain and disclose personal data unlawfully. It seems likely that more prosecutions might follow in light of this decision.

For employers, it is increasingly important to have in place even tighter controls and restrictions on personal data processed by employees. On a practical level this could include the increased use of passwords, stringent records of access, or data misuse policies and confidential information provisions to act at the very least as a deterrent. All such measures will help satisfy the ICO and any court that the employer has appropriate technical and organisational measures in place to help prevent the unlawful use of data and to prevent or limit any of the employer’s potential liability in the event of a breach.

How can we help?

If you need advice on any of the issues raised above, whether it be an existing or former employee who has access to particularly sensitive personal data or ensuring that your data systems comply with data protection legislation, then we would be happy to help. Please get in touch with Razia Begum or Rachel Ashwood.