ICO brings criminal prosecution for data misuse

In the first case of its kind, the Information Commissioner’s Office (ICO) has successfully prosecuted a man, Mustafa Kasim, under the Computer Misuse Act 1990 (CMA 1990). Mr Kasim, a motor repair technician, has been jailed for six months. He used a former colleague’s log-in details to obtain access to a computer system used to estimate accident repair costs, and the database of customer details contained in it, continuing to use the information after moving to a new employer.

The situation came to light after the former employer began to receive complaints about nuisance calls and notified the ICO of the suspected breach. Mr Kasim pleaded guilty and proceedings are under way to confiscate the benefits of the crime.

The ICO decided to prosecute under the CMA 1990 in this case because it gives courts greater sentencing powers than the Data Protection Act 1988, which cannot lead to prison. The DPA 2018, incorporating GDPR, could not be used as it post-dates the offence.

Laurence Eastham, editor of Computers and Law magazine, has written of his surprise at the severity of the sentence and has warned that other such prosecutions may now follow. What is clear is the ICO’s willingness to use whatever powers are available to it in order to, as Mike Shaw, it’s head of criminal investigations describes it, ‘push the boundaries’ to protect individuals against misuse of personal data.

In this instance the enforcement action was taken against an individual, but it is not difficult to see how this matter stands as a warning to organisations more generally to be ever more vigilant about who is accessing the data they store, when, how, and why.