The Information Commissioner’s Office has authority to prosecute offenders. It exercised that authority this year in relation, not to a data protection or Freedom of Information offence, but under the Computer Misuse Act 1990.

The Computer Misuse Act creates the following offences:

• Unauthorised access to computer material
• Unauthorised access with intent to commit or facilitate a further offence
• Unauthorised acts with intent to impair operation of computer etc
• Unauthorised acts causing, or creating risk of, serious damage to human welfare, to the environment, to the economy of any country or to the national security of any country
• Making, supplying or obtaining articles for use in computer misuse offences

Details of the offence

The prosecution involved a motor industry employee who worked for National Accident Repair Services and abused his position to access the records of customers who had been involved in a road traffic accident. The information was sold to claims management companies who used them to spam the customers with offers to follow up the claim on their behalf.

The ICO was alerted to the issue by the National Accident Repair Centre which noticed an increase in customer complaints relating to nuisance calls.

The employee was sentenced to six months in prison for the offence. He was clearly aware that his behaviour was unlawful as he used his colleagues’ log-in details to access customer records.

Conclusion

It is time to remind colleagues of the need to keep their personal log-in details secure and to highlight that, although offences under the DPA 2018 do not carry custodial sentences (yet), there are other weapons in the ICO armoury which do.