First Criminal sentence obtained by ICO

The Data Breach

Mustafa Kasim, whilst working for a vehicle repair firm called Nationwide Accident Repair Services (NARS) used colleagues’ log-in details to access a significant number of customer records through a software system that estimates the costs of vehicle repairs. This pattern of conduct continued even after Mr Kasim started a new job at a different car repair organisation. After receiving an increasing number of complaints NARS contacted the ICO about these nuisance calls and, per the ICO, “assisted [them] with their investigation”.

Why was this a criminal prosecution?

Whilst such conduct may usually be prosecuted under the Data Protection Act 1998 or 2018 (Data Protection Acts), in this instance the conduct was so flagrant as to warrant a criminal prosecution under s1 of the Computer Misuse Act 1990 (CMA). Mike Shaw, Group Manager Criminal Investigations Team at the ICO, stated “although this was a data protection issue, in this case we were able to prosecute beyond data protection laws resulting in a tougher penalty to reflect the nature of the criminal behaviour”.

Until this point, the ICO had restricted its enforcement activity to prosecuting behaviour under the Data Protection Acts. However, the maximum penalty under this statutory regime is merely a fine. Under the CMA, in contrast, the maximum penalty for a breach is two years in prison.

Where does this leave us?

Ultimately, the ICO is empowered to bring prosecutions for any offence, unless specifically prevented from doing so. As a result, this development indicates that the ICO is willing to look at the conduct of a wrong-doer in the round and prosecute conduct as it sees appropriate - not shoehorn their enforcement action into a data protection offence (such as s170 of the DPA 2018).

This sends a clear message to any individuals willing looking to exploit data that they do not have the right to access - they are not just risking a fine, there is the potential that they go to prison for their conduct.

Additionally, given the cooperation and assistance provided by NARS in this case, this may evidence the generally increasing trend of corporate assistance being provided to a regulator, as a way of minimising the chance of potential enforcement action against that company, now also being the norm when dealing with the ICO. Given the facts of this case, with a rogue employee being seemingly solely responsible for the breach, however, only time will tell if interactions with the ICO join this trend, or if such actions will prove to be unique to the facts of this case.