14 November 2018
BTO Partner Lynn Richmond discusses the ICO's use of the Computer Misuse Act 1990 to prosecute a motor industry employee who illegally accessed thousands of customer records containing personal data stored in a software system.
When the General Data Protection Regulation came into force, many a column inch was devoted to the significant increase in fines which could be levied by the Information Commissioner’s Office for breaches of the Regulation.
Lynn Richmond, Partner
However, the recent ICO prosecution of Mustafa Kasim demonstrates the range of remedies that the ICO has at its disposal and that it is willing to look beyond what is traditionally considered as “data protection legislation” to take enforcement action.
The ICO has taken the unprecedented step of using the Computer Misuse Act 1990 to prosecute a motor industry employee who illegally accessed thousands of customer records containing personal data stored in a software system. The individual gained access to the database without authorisation by using a work colleague’s log in details and continued to do this after he started work with a new employer.
The ICO has specific powers not only to fine but also to raise prosecution proceedings for data protection breaches which constitute an offence. While the ICO would normally prosecute under the Data Protection Act 2018 (or Data Protection Act 1998 for older offences) the ICO took the unusual step in this instance of prosecuting under section 1 of the Computer Misuse Act. This act and the Data Protection Act contain similar provisions that provide that obtaining or accessing personal data without authorisation is a criminal offence.
The notable difference, however, is the sentencing powers available. Despite consideration of the introduction of custodial sentences under the Data Protection Act 2018, the final version of the act only conferred on the ICO the power to issue a fine and not to seek a custodial sentence. The Computer Misuse Act in contrast allows the ICO to seek a custodial sentence and was used in this case to impose 6 months’ imprisonment.
The prosecution under the Computer Misuse Act is something of a watershed and perhaps highlights the ICO’s hardening approach to the prosecution of what it sees as flagrant breaches.
It is worth noting that while the ICO may levy fines throughout the UK, its powers of prosecution do not extend to Scotland, where a prosecution must be pursued by the Procurator Fiscal. That said, individuals in Scotland remain subject to the same legislation and should not think that they will escape prosecution - it may simply be by a different route.
The first large fine to be issued by the ICO is awaited with a certain degree of anticipation and commentators are intrigued to see the extent to which the ICO is willing to flex its new found muscles. However, fines are only one half of the story and anyone considering obtaining or disclosing personal data unlawfully should be well aware that the ICO will use all the powers at its disposal to pursue the toughest sanctions where it considers it appropriate.
Contact: Lynn Richmond, Partner email@example.com T: 0131 222 2939