Criminal Prosecution by the ICO

Mustafa Kasim, who had been employed by the Nationwide Accident Repair Services, has been sentenced to six months in prison under the Computer Misuse Act 1990 after accessing computer material which he was unauthorised to access.

The defendant had used a colleague's log in details to access customer contact information and other personal data. The defendant continued to use this information after changing jobs and moving to another company. The Nationwide Accident Repair Services subsequently encountered an increase in complaints relating to nuisance calls and requested the ICO to carry out an investigation, which resulted in the discovery of the breach.

This is the first prosecution under the Computer Misuse Act 1990, which states that a person is guilty of an offence if they are unauthorised to "cause a computer to perform any function with intent to secure access to any program or data held in any computer or enable access to be secured". An offence under section 1 of the Computer Misuse Act 1990 carries a potential custodial sentence of a maximum of two years imprisonment.

Whilst it is well known that the ICO can take enforcement action and impose fines under the Data Protection Act 2018 for data breaches, most are unaware of the ICO's powers under the Computer Misuse Act 1990. This case serves as a timely reminder of the importance of protecting personal data and the wide range of powers at the ICO's disposal.

This article is for general guidance only. It provides useful information in a concise form. Action should not be taken without obtaining specific legal advice.