A motor industry employee has recently been sentenced to six months in prison for accessing thousands of customer records containing personal data without permission. Mustafa Kasim used log-in details of colleagues to access a software system that estimates the cost of vehicle repairs. He carried on accessing the software when employed with a different car repair organisation that used the same software. The records he accessed were detailed and included customer names, contact details and vehicle and accident information.
It is the first prosecution to be brought by the Information Commissioner’s Office (ICO) under the Computer Misuse Act 1990. Usually the ICO prosecutes cases similar to this under the Data Protection Act 1998 or 2018. Mike Shaw, Group Manager Criminal Investigations Team at the ICO, explained why a different approach was taken:
“Although this was a data protection issue, in this case we were able to prosecute beyond data protection laws resulting in a tougher penalty to reflect the nature of the criminal behaviour. Members of the public and organisations can be assured that we will push the boundaries and use any tool at our disposal to protect their rights.”
Mr Kasim pleaded guilty to a charge of causing a computer to perform a function with intent to secure access to any program or data held on that computer. This is an offence under section 1 of the Computer Misuse Act 1990 which attracts a custodial sentence of up to 2 years.
Although Mr Kasim committed this offence within the motor industry, it is conceivable that this could happen within a school environment.
For example, school staff accessing pupil, staff or alumni records on school software without permission may also be committing this offence.
Staff should always seek permission to access personal data held on computers when in doubt about their authority to do so.