The Information Commissioner’s Office (the ICO) has upped the ante in its fight against data privacy by bringing a prosecution under the Computer Misuse Act 1990 (the CMA). This is the first case that the ICO has brought under the CMA and marks a significant departure by the ICO from their more traditional enforcement action of levying fines.
While both the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (and its predecessor the Data Protection Act 1998) give the ICO significant powers to levy fines, the ICO does not expressly have the power to bring prosecutions that could lead to a custodial sentence. Recent case law has however established a fairly wide right to bring such prosecutions and it is this general power, rather than anything more specific, that the ICO has relied on here.
Following the ICO’s prosecution Mustafa Kasim, a motor industry employee, was sentenced to six months in prison.
Mr Kasim, a former employee of National Accident Repair Services (NARS), gained unauthorised access to personal data including the names, phone numbers, vehicle details and accident information of customers that was stored on a software system called Audatex for the purpose of producing cost estimates for vehicle repairs. Kasim gained access by making use of a colleague’s login details without permission and, upon his departure from NARS, continued to access the information through the Audatex software from his new place of employment, another car repair organisation.
The ICO began their investigation following a report from NARS that there had been a steep rise in complaints from customers receiving nuisance calls.
The Computer Misuse Act 1990
This type of case would typically have been prosecuted under the Data Protection Act 1998 (due to the data theft having taken place in 2016 prior to the GDPR coming into force). However, the case of R v Rollins  UKSC 39, established that as the CMA does not specify who can prosecute for offences contained within it, any corporate body is able to bring an offence under the Act ‘…provided that it was authorised by its constitution to do so’. Accordingly, it was decided by the ICO that the most appropriate legislation under which to prosecute Mr Kasim was the CMA, specifically section 1, which carries a maximum custodial sentence of 2 years.
Section 1 of the CMA states that:
(1) A person is guilty of an offence if—
- he causes a computer to perform any function with intent to secure access to any program or data held in any computer, or to enable any such access to be secured;
- the access he intends to secure, or to enable to be secured, is unauthorised; and
- he knows at the time when he causes the computer to perform the function that that is the case.
(2)The intent a person has to have to commit an offence under this section need not be directed at—
- any particular program or data;
- a program or data of any particular kind; or
- a program or data held in any particular computer.
There has been much speculation as to why this decision was made by the ICO, considering that, as recently as last year, it stated in a response to a request for information that in some cases ‘…the data controller has referred incidents to the police to investigate under the Computer Misuse Act (which is outside of our remit) and the police would be the primary investigating authority’.
Consequently, some have suggested that the ICO deemed the punishments available to it under the Data Protection Act 1998 to lack the necessary severity for this particular case. A sentiment echoed by Mike Shaw, Group Manager Criminal Investigations Team at the ICO in a statement that read as follows:
“Although this was a data protection issue, in this case we were able to prosecute beyond data protection laws resulting in a tougher penalty to reflect the nature of the criminal behaviour.
Members of the public and organisations can be assured that we will push the boundaries and use any tool at our disposal to protect their rights.”
The GDPR and data security
Interestingly, Mike Shaw’s quote was concluded by his making reference to the appropriate technical and organisational measures that have been put in place by both NARS and Audatex to prevent further incidents of this nature from occurring in the future.
Having such appropriate technical and organisational measures in place is one of the key principles of the GDPR, in particular Article 5(f), more information on which can be found in our previous blog covering the recent British Airways data hack, available here.
The Morrisons case
Whilst data leaks stemming from rogue employees are not uncommon, particularly in light of the value attached to data in a world that completes ever more transactions over the internet, it is worth remembering that even where the employer has done everything necessary to keep that data secure and to comply with its obligations under the data protection legislation, it may still be vicariously liable for the acts of the rogue employee.
An example of this can be found when considering the recent Morrisons case, in which a rogue employee leaked payroll data comprising of names, addresses, salaries and bank account details of approximately 100,000 employees online. Whilst Mr Skelton, the employee responsible for the leak, was sentenced to a jail term under the CMA (a whopping 8 years), Morrisons were also held, by the Court of Appeal, to be vicariously liable despite the ICO concluding that they had not breached the Data Protection Act and thus should not incur liability.
Therefore, whilst most employers will have upgraded their external security in response to the tighter penalties now available to the ICO under the GDPR, it is also necessary to have in place robust internal policies to prevent potentially rogue employees from compromising the integrity of personal data and to ensure that the employers insurance covers the actions of such employees.
If you aren’t receiving our legal updates directly to your mailbox, please sign up now
Please note that this blog is provided for general information only. It is not intended to amount to advice on which you should rely. You must obtain professional or specialist advice before taking, or refraining from, any action on the basis of the content of this blog.
Edwin Coe LLP is a Limited Liability Partnership, registered in England & Wales (No.OC326366). The Firm is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office address: 2 Stone Buildings, Lincoln’s Inn, London, WC2A 3TH. “Partner” denotes a member of the LLP or an employee or consultant with the equivalent standing.