The case highlights a need for businesses to concentrate on GDPR compliance programmes, particularly in respect of security measures, and the range of powers available to the ICO and the regulatory appetite it has to exhaust its options, experts have said.
The ICO said it had successfully prosecuted former Nationwide Accident Repair Services (NARS) employee Mustafa Kasim under the Computer Misuse Act.
Kasim pled guilty to a charge of securing unauthorised access to personal data between 13 January 2016 and 19 October 2016 after the ICO found he had used colleagues' log-in details to access software containing "thousands of customer records", which featured their names, phone numbers, vehicle and accident information. The ICO said it investigated after NARS reported seeing an increase in customer complaints about nuisance calls. Kasim was sentenced to six months imprisonment.
Michele Voznick of Pinsent Masons, the law firm behind Out-Law.com, said that although the prosecution was brought under the UK's computer misuse laws, businesses can follow General Data Protection Regulation (GDPR) compliance programmes to help prevent cases like this happening to them.
"A well implemented GDPR programme, with proper criteria for login access and checks for unusual activity, will help a company with early detection of unauthorised access to their data – even by their own employees," Voznick said.
Voznick said that while it is not the first time someone has been sentenced to jail time for personal data-related criminal activities, the case was noteworthy because it was the first time the ICO had secured such a sentence from one of its prosecutions.
Rachel Forbes of Pinsent Masons said the fact the ICO brought its prosecution under the Computer Misuse Act showed the extent of the ICO's powers under not only data protection law, but UK law more generally.
"It has been very easy to get swept up in the noise surrounding the GDPR and new UK Data Protection Act this year, but we should not forget that a range of powers exist under other legislation and that the Computer Misuse Act, which has been around for nearly 30 years, carries in some sense much higher personal penalties, as can be seen in this case," Forbes said. "The Computer Misuse Act provisions are broad as they set out restrictions on accessing any 'data' held on computers – not just personal data."
"This prosecution shows that the ICO takes this type of activity very seriously and will not shy away from criminal prosecutions and so serves as a warning to individuals who might engage in this type of behaviour. This prosecution should hopefully act as a deterrent to employees, or indeed others in a position to access personal data, who before now may have thought prison for this type of offence was fairly unlikely," she said.
"The case, however, highlights a discrepancy in data protection legislation in the UK. It shows how a rogue employee can get a prison sentence for unlawfully accessing personal data, or any data, using a computer system to do it, but this is a penalty that would not be able to be imposed if an employee had stolen hard copy HR or customer records since the penalty, whilst still carrying the significance of a criminal conviction, is limited to a fine," Forbes said.
Provision for enabling custodial sentence penalties to be imposed for offences under the section 55 of the UK's previous Data Protection Act 1998 was made in the Criminal Justice and Immigration Act (CJIA) of 2008, but the secondary legislation needed to introduce such powers was never introduced, despite repeated lobbying by the ICO.
Forbes said that while introduction of the UK's new Data Protection Act earlier this year saw a raft of new data-related offences introduced into UK law, there was an opportunity missed to completely sync data protection offences with powers to impose jail sentences.
Mike Shaw, group manager of the ICO's criminal investigations team, said: "Although this was a data protection issue, in this case we were able to prosecute beyond data protection laws resulting in a tougher penalty to reflect the nature of the criminal behaviour. Members of the public and organisations can be assured that we will push the boundaries and use any tool at our disposal to protect their rights. Data obtained in these circumstances is a valuable commodity, and there was evidence of customers receiving unwarranted calls from claims management companies causing unnecessary anxiety and distress."