The Office of the Information Commissioner (“ICO ”) has for the second time in its history people under the Computer Misuse Act of 1990 (“plot”) To impose stricter criminal penalties for unauthorized access to personal data (including prison sentences and confiscation orders) than is possible under the Data Protection Act 2018 (“DPA 2018”).

In this case, on January 8, 2021, a former employee (“D.”) The RAC (a well-known breakdown and recovery service in the UK and Europe) pleaded guilty to conspiracy to secure unauthorized access to computer data and to sell unlawfully obtained personal data. The ICO investigation had shown that D had compiled lists of traffic accident data without her employer’s permission. The data was accessible due to D’s position as RAC Performance Manager and included part names, telephone numbers and registration numbers. D then illegally transferred the data to the director of an accident claims management company, which was named LIS Claims (“S.”), Who then used this information to harass the relevant people.

Both S and D were convicted of criminal offenses under the law and sentenced to eight months in prison, with two years’ suspension. They were also instructed to do 100 hours of unpaid labor and to contribute £ 1,000 towards the cost. In addition, the court issued a confiscation order under the Proceeds of Crimes Act of 2002 ordering D and S to pay £ 25,000 and £ 15,000 respectively.

The ICO was pursuing criminal prosecution under the law due to the severity of the data breaches. Typically, such crimes are prosecuted under the Data Protection Authority 2018 citing Section 170, which makes it a criminal offense for an individual, knowingly or recklessly:

  1. receive or pass on personal data without the consent of the controller;
  2. procure the transfer of personal data to another person without the consent of the controller; or
  3. after receiving personal data without the consent of the person who was responsible for the processing when obtaining the personal data.

The maximum penalty for such an offense is a fine. However, the Computer Abuse Act provides for more severe penalties, including imprisonment. According to Section 1, it is a criminal offense to induce a computer to perform a function in order to guarantee unauthorized access to programs or data stored on this computer and to impose a prison sentence of a maximum of two years.

In this case, in addition to comments from Mike Shaw (Head of the Criminal Investigation Team at the ICO), it is suggested that the ICO will take full advantage of the various legal frameworks available to it to adjust the level of punishment to the severity of the data breach . Mr. Shaw stated:

Criminals need to know that we are using all the tools available to us to protect people’s information and prevent it from being used to make disruptive calls.

In addition, the ICO will “take full advantage” of the Crime Proceeds Act to prevent criminals from benefiting financially from their crimes.

We are closely monitoring trends in the ICO’s enforcement and law enforcement actions. The tougher stance of the ICO in this case should serve as a warning to persons seeking unauthorized access to electronically stored personal data that they will not only face penalties under the DPA 2018, but also criminal prosecution and thus tougher penalties under the DPA 2018 be confronted act.

This case also reaffirms the message to companies and organizations responsible for the processing of personal data, which they must prepare and protect from the risks posed by fraudulent employees who gain and / or unauthorized access to personal data electronically resell. Security measures to protect personal data from unauthorized or illegal processing, e.g. B. to identify unusual activity and data exports, must be sufficiently robust and effective to prevent both internal and external threats. Risks can be compounded by the increased number of employees working remotely and without regular supervision (including due to the COVID-19 pandemic). Employee screening, training, regular communication, and ongoing compliance reviews are essential to reduce the risks.