Companies have been under a duty to protect personal data for over 20 years. However, with GDPR coming into force 25 May 2018 and Data Protection Act 2018 increasing these protections and setting a new standard, data protection been in the forefront of the industry over recent months.
On 12 November the ICO released details regarding the prosecution of a motor industry employee under the Computer Misuse Act 1990. (more details can be found here).
In this case a rogue employee of a Bodyshop had been using the company access to the Audatex system to remove personal data using a colleague’s log-in details. The employee would then sell the details to accident management companies resulting in nuisance calls and complaints This conduct had continued for over 9 months; even after he left the first bodyshop, and only came to light when the first bodyshop concerned noticed a sharp increase in complaints regarding customer data and reported the issue to the ICO.
After an investigation the employee concerned was charged with securing unauthorised access to personal data between 13 January 2016 and 19 October 2016 and was sentenced at Wood Green Crown Court in north London to 6 months imprisonment.
The employee concerned is now also the subject of proceedings under the Proceeds of Crime Act, which could result in the recovery from the employee of any benefit obtained as a result of the offending.
Mike Shaw, head of criminal investigations at the ICO, said:
“Although this was a data protection issue, in this case we were able to prosecute beyond data protection laws resulting in a tougher penalty to reflect the nature of the criminal behaviour…
Data obtained in these circumstances is a valuable commodity, and there was evidence of customers receiving unwarranted calls from claims management companies, causing unnecessary anxiety and distress.
The potential reputational damage to affected companies whose data is stolen in this way can be immeasurable. Both Nationwide Accident Repair Services and Audatex have put appropriate technical and organisational measures in place to ensure that this cannot happen again.
With GDPR and data protection being in the forefront of the industry recently this is an important case and provides some interesting guidance; both as a warning and a reassurance, for business whom may have been caught out by rogue employees.
This is a landmark case as the ICO has, for the first time, used the Computer Misuse Act 1990 to deal with a data breach, thereby giving the courts a wider range of sentencing powers. With this case the ICO appears to be signalling that they will use all the tools at their disposal to deal with data breaches where they result in a significant impact on data subjects.
What is reassuring is that the ICO does not appear to have taken action against either the bodyshop concerned or Audatex. Both organisations co-operated with the investigation and took steps to secure data going forward. This is good news for commons sense.
Members are under a duty to take reasonable steps to minimise the personal data held and to secure the same whilst in their possession. We would strongly advise that any RMI members who have not reviewed their data processing or security processes recently consider doing so. Remember, as an RMI member you have access to lawyers who specialise in the motor industry as well as precedent document and other resources designed to give you a head start when constructing your own policies and procedures.
Motor Industry Legal Services
Motor Industry Legal Services (MILS Solicitors) provides fully comprehensive legal advice and representation to UK motor retailers for one annual fee. It is the only law firm in the UK which specialises in motor law and motor trade law. MILS currently advises over 1,000 individual businesses within the sector as well as the Retail Motor Industry Federation (RMI) and its members.