UK: First prison sentence following ICO prosecution

The Information Commissioner’s Office (“ICO“) has brought a successful prosecution under the Computer Misuse Act 1990. Mustafa Kasim, a motor industry employee, was found guilty under section 1 of the Act (unauthorised access to computer material) and sentenced to six months’ imprisonment.[1]

Mr Kasim worked for car repair business Nationwide Accident Repair Services (“NARS“), where he would use a colleague’s password to log onto the software system Audatex, in order to access thousands of customer records, without permission. These records included personal data such as names, phone numbers, and vehicle and accident information.

After moving jobs to another car repair firm, Mr Kasim continued to use his former colleague’s log-in details to access the Audatex system. NARS contacted the ICO as they saw an increase in complaints from customers relating to nuisance calls.

This case marks the first occasion that the ICO has prosecuted under a law which carries a potential custodial sentence. It is a reminder that the ICO is a prosecuting authority which can bring prosecutions under legislation beyond the Data Protection Act 1998 or 2018, if appropriate, in light of the nature and extent of the offence.

The Data Protection Act 2018 contains a number of criminal offences, including the unlawful obtaining of personal data, and the alteration of personal data to prevent disclosure to a data subject (in response to a data subject request).  At present, the maximum penalty which can be imposed for either criminal or civil breaches under the Act is a fine. Despite historic attempts by the ICO to lobby government, there are currently no custodial sentencing powers for data misuse offences.

In recent times, the ICO has shown increasing willingness to flex its enforcement muscles, and this case clearly demonstrates an appetite to expand the regulator’s remit and enforce strongly against data related offences, whether or not they neatly fall under the purview of the Data Protection Act 2018.

In this case the offence was so sophisticated and the exfiltration of data was so vast that the ICO felt it necessary to pursue the harshest possible sentences. In the first instance, this took shape as dual charges under both s.55 of the Data Protection Act 1998 (since the offending took place before 25 May 2018) as well as the charges under section 1 of the Computer Misuse Act. We understand that the defendant entered a guilty plea in respect of the section 1 offence and therefore the ICO determined that there was no further public interest in pursuing the s.55 through full trial.

The ICO has initiated confiscation proceedings under the Proceeds of Crime Act in order to recover any benefit obtained as a result of the offending.

Aside from this case, we have now seen two monetary penalty notices at the maximum level possible for breaches of data protection law committed prior to 25 May (£500,000, in respect of Facebook and Equifax), and the ICO’s Operation Cederberg, its major investigation into data misuse in the context of political campaigns, has produced its Report to Parliament which can be found on the ICO website.

James Clark, Sami Qureshi and Alexandra Greaves, DLA Piper UK LLP

[1] Please see the following link the Section 1 of the Computer Misuse Act 1990: https://www.legislation.gov.uk/ukpga/1990/18/section/1