Everyone has received a nuisance call, and they are a real nuisance to many, but how do your details become available, and what is being done about it?

Who are the ICO?

The Information Commissioner’s Office (the ‘ICO’) is an independent organisation that was set up to uphold information rights in the public interest, promote openness by public bodies and data privacy for individuals.

The ICO take various forms of action against organisations and individuals, and that can include criminal prosecutions.

What happens with a criminal prosecution?

Criminal prosecution has, historically, been taken under one of the two Data Protection Acts. Under this legislation, the maximum penalty for breach is a fine. There is also a separate financial penalty regime that can now result in very high financial penalties being imposed.

Only a fine?

Until now the action taken by the ICO has only ever resulted in a financial penalty. It would appear, however, that as the seriousness with which such breaches are taken increases, the ICO have reconsidered their powers and options.

For the first time the ICO has used the Computer Misuse Act in a prosecution, crucially this legislation allows for a custodial sentence rather than just a fine.

Mustafa Kasim worked for a car accident repair firm. He used the login details of his colleagues to access the company’s software system and continued to access a similar system when he moved to a new company.

From there he took details of customers names and addresses along with vehicle and accident details, information that was then forwarded to claims management companies.

The ICO were alerted following a referral from the original company due to an increase in complaints concerning nuisance calls.

In using the different legislation for the prosecution, the ICO said that they had to reflect the nature and extent of the offending and the wider range of penalties available for the Court by using the Computer Misuse Act.

How much more serious is the other offending?

Section 1 of the Act, as prosecuted in this case, allows for up to 2 years imprisonment to be imposed at the Crown Court. Other offences under the Act carry up to 14 years imprisonment.

This case is a clear sign from the ICO that they are considering their wider powers and duties in respect of prosecutions, and it is unlikely that Mr Kasim will be the only person to be prosecuted under alternative legislation. No longer will breach of privacy and data protection rules simply be subtracted from the bottom line as a cost of business.


Contact Us

Go to Top