ICO Utilises the Computer Misuse Act to Impose Tougher Penalties for Unauthorised Access to Data
The Information Commissioner’s Office (“ICO”) has, for only the second time in its history, successfully prosecuted individuals under the Computer Misuse Act 1990 (the “Act”) in order to impose harsher criminal penalties for unauthorised access to personal data, (including prison sentences and confiscation orders), than are available under the Data Protection Act 2018 (the “DPA 2018”).
In this case, on the 8th January 2021, a former employee (“D”) of the RAC, (a well-known breakdown and recovery service in the UK and Europe) pleaded guilty to charges of conspiracy to secure unauthorised access to computer data and to selling unlawfully obtained personal data. The ICO investigation had found that D had been compiling lists of road traffic accident data without the permission of her employer. The data was accessible by virtue of D’s position as an RAC Performance Manager and included partial names, phone numbers and registration numbers. D was then unlawfully transferring the data to the director of an accident claims management firm, trading as LIS Claims (“S”), who then used this information to make nuisance calls to the relevant individuals.
Both S and D were found guilty of offences under the Act and were sentenced to eight months’ imprisonment, suspended for two years. They were also ordered to carry out 100 hours’ unpaid work and contribute £1,000 to costs. In addition, the court made a Confiscation Order under the Proceeds of Crimes Act 2002, requiring D and S to pay £25,000 and £15,000 respectively.
The ICO pursued prosecutions under the Act due to the severity of the data breaches. Typically, it would prosecute such offences under the DPA 2018, in reliance upon Section 170, which makes it an offence for a person to knowingly or recklessly:
obtain or disclose personal data without the consent of the controller;
procure the disclosure of personal data to another person without the consent of the controller; or
after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained.
The maximum penalty for such an offence is a fine. However, the Computer Misuse Act makes provision for more severe sentences, including imprisonment. Under Section 1, it is an offence to cause a computer to perform a function with the intention to secure unauthorised access to any program or data held on that computer, carrying a maximum custodial (prison) sentence of up to two years.
This case, alongside comments from Mike Shaw (who heads up the Criminal Investigations team at the ICO), suggests that the ICO will make full use of the various legislative frameworks available to it in order to seek to match the level of punishment to the severity of the data breach. Mr Shaw stated,
offenders must know that we will use all the tools at our disposal to protect people’s information and prevent it from being used to make nuisance calls.
Furthermore, the ICO will make “full use of the Proceeds of Crime Act” to prevent criminals benefitting financially from their crimes.
We closely monitor trends in the ICO’s enforcement actions and prosecutions. The tougher stance taken by the ICO in this case should serve as a warning to individuals who seek to gain unauthorised access to personal data held electronically, that they may face not only penalties under the DPA 2018, but also prosecution and therefore tougher penalties under the Act.
This case also reinforces the message to businesses and organisations who are controllers of the personal data that they must prepare for and safeguard against the risks posed by rogue employees who gain unauthorised access to personal data electronically and/or sell it on. Security measures which aim to protect personal data from unauthorised or unlawful processing, such as those designed to identify unusual activity and data exports need to be sufficiently robust and effective to guard against both internal and external threats. The risks may be exacerbated by the increased number of employees working remotely and without regular supervision (including due to the COVID-19 pandemic). Employee vetting, training, regular communications and ongoing compliance checks are essential to reduce the risks.