The Information Commissioner’s Office (ICO) has discovered that eight individuals have taken information relating to thousands of people who had been involved in road traffic accidents. The individuals proceeded to use the unlawfully obtained data to generate leads for personal injury claims.
The ICO has commenced criminal proceedings against the eight individuals. The ICO has confirmed that this “prosecution follows a complex and wide-ranging criminal investigation”. The individuals will face prosecution in relation to the unlawful obtaining of the data under Section 1 of the Computer Misuse Act 1990 and Section 55 of the Data Protection Act 1998.
Section 1 of the Computer Misuse Act 1980
Section 1(1) sets out that a person is guilty of an offence if:
“(a) he causes a computer to perform any function with the intent to secure access to any program or any data held in any computer, or to enable any such access to be secured;
(b) the access he intends to secure, or to enable to be secured, is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that is the case.”
The ICO has only released limited information in relation to the criminal proceedings to date. We do however know that the individuals have obtained the data from vehicle repair garages, presumably from their computer systems. This has been done unlawfully and with the intention of generating leads for personal injury claims. It, therefore, is apparent that the individuals have acted in contravention of Section 1(1) of the Computer Misuse Act 1980.
Section 1(3) of the Computer Misuse Act 1980 confirms that a person guilty of an offence under Section 1 could be looking at either imprisonment for a term not exceeding 12 months and/or a fine or imprisonment for a term not exceeding two years and/or a fine. If the individuals are found guilty of an offence under Section 1 of the Computer Misuse Act 1980 they could be looking at a maximum sentence of two years imprisonment and a fine.
Section 55 of the Data Protection Act 1998
The Data Protection Act 1998 has since been replaced by the Data Protection Act 2018. The information was however unlawfully obtained by the individuals between 1 December 2014 and 30 November 2017 prior to the Data Protection Act 2018 coming into force. The ICO, therefore, commenced proceedings against the individuals in line with the Data Protection Act 1998. Had the information been obtained on or after 23 May 2018 the ICO would have needed to commence proceedings in accordance with the Data Protection Act 2018.
Section 55 of the Data Protection Act 1998 states:
“(1) A person must not knowingly or recklessly, without the consent of the data controller—
(a) obtain or disclose personal data or the information contained in personal data, or
(b) procure the disclosure to another person of the information contained in personal data.
(2) Subsection (1) does not apply to a person who shows—
(a) that the obtaining, disclosing, or procuring—
(i) was necessary for the purpose of preventing or detecting crime, or
(ii) was required or authorised by or under any enactment, by any rule of law, or by the order of a Court,
(b) that he acted in the reasonable belief that he had in law the right to obtain or disclose the data or information or, as the case may be, to procure the disclosure of the information to the other person,
(c) that he acted in the reasonable belief that he would have had the consent of the data controller if the data controller had known of the obtaining, disclosing, or procuring and the circumstances of it, or
(d) that in the particular circumstances the obtaining, disclosing or procuring was justified as being in the public interest.”
The individuals, in this case, obtained the data without the data controller’s consent. It cannot be said that one of the exemptions detailed within subsection 2 applies to the obtaining of the data. The individuals therefore unlawfully obtained the data in contravention of Section 55 of the Data Protection Act 1998.
Had the individuals obtained the data following the implementation of the Data Protection Act 2018 and GDPR, they would have needed to demonstrate that they had a lawful basis for the processing of the data. I have discussed the six lawful bases in detail in my previous blog.
Comments
Historically, the ICO has been hesitant to get involved in criminal proceedings of this nature. This change in stance may have come about as a result of the Data Reform Bill that has sought to better equip the ICO in performing its functions as a regulator. It will be interesting to see what criminal action the ICO takes in the future.
How can we help?
Ruby Ashby is an Associate in our expert Dispute Resolution team.
If you need any advice concerning the subjects discussed in this article, please do not hesitate to contact Ruby or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.
Contact us