The UK data protection regulator, the Information Commissioner’s Office (ICO), has brought its first prosecution under the Computer Misuse Act 1990, resulting in a six-month prison sentence. 

The individual, who worked for an accident repair firm, used a colleague’s log-in details to access thousands of customer records (including personal data) without permission. He continued to access the records after starting a new job at a different businesses that used the same software system. The offence came to light as a result of an increased number of complaints to his former employer about nuisance calls.

The prosecution was brought under s.1 of the Act, which makes it a criminal offence to cause a computer to perform a function with intent to secure unauthorised access to any data held on that computer. The maximum custodial sentence is 2 years. ICO usually prosecutes these kinds of cases under data protection law – the Data Protection Act 2018 contains several offences related to the unlawful obtaining and disclosure of personal data. But ICO also has the power to prosecute under other legislation that carries tougher penalties.

Mike Shaw, ICO’s Group Manager Criminal Investigations Team, said:

”People who think it’s worth their while to obtain and disclose personal data without permission should think again. Although this was a data protection issue, in this case we were able to prosecute beyond data protection laws resulting in a tougher penalty to reflect the nature of the criminal behaviour. Members of the public and organizations can be assured that we will push the boundaries and use any tool at our disposal to protect their rights.”