ICO fines two employees for a data breach when they used personal data wrongfully

The Information Commissioner’s Office (ICO) has prosecuted two employees, Lesley Severs and Kayleigh Billington, who worked at a claims management company. They both had access to data that was reportedly illegally obtained from another company, to go on to use the personal data to make calls to insurers.

The personal data in question included information about policy holders and their recent or historic road traffic accidents. The personal data would’ve no doubt included names, addresses, vehicle identification numbers, dates of birth, and so on.

Both employees had been employed at UK Claims Organisation Ltd to make calls to insurance companies in order to obtain personal information. The aim of this was then to sell on personal injury cases to solicitors. It’s unknown whether the employees had knowledge of the unlawfully obtained data, but their deceit was magnified by the fact that they had used the personal data to obtain more information.

How does the employees’ actions breach the DPA?

The Data Protection Act (DPA) and its principles provide that a subject, with whom the data belongs to, shall have full authority of how and what the data is being processed and used for. Anyone handling personal data is named as a data controller, and being a data controller carries serious legal responsibilities. A data controller effectively keeps or processes information about data subjects.

The first thing to note is that the information obtained from the car hire company was done so unlawfully. The data controller of that company was responsible for keeping that personal data private, but they failed to do so.

Secondly, a data processor is an individual or entity that processes personal data but doesn’t necessarily control the data. The employees at UK Claims Organisation are arguably data processors. Although data processors have limited responsibilities under the DPA, the employees’ acts constitutes to an unlawful processing of data. They didn’t have the authority to use the data in the manner that they did.

Consequences of a breach of the DPA

With DPA breaches, there can be penalties and compensation. If a company or an organisation breached their DPA responsibilities, they can be fined by the ICO, as the case is here. Their powers include:

Most common penalty: monetary fines

The most common action that the ICO takes is imposing a monetary penalty on individuals and companies. When the EU General Data Protection Regulation (GDPR) is enforced from 2018, offending organisations will probably face a dramatic increase in fines. Although employees breached the DPA in this case, the EU GDPR highlights the importance on companies and organisations to take responsibility for their employees.

Ms Billington pleaded guilty to eight offences, with a fine of £320, £250 in costs, and a victim surcharge of £20. Ms Severs pleaded guilty to five offences, with a fine of £250, £400 in costs, and also a £20 victim surcharge.

These breaches of personal data is not a rare occurrence. Just recently, Karun Tandon was guilty for strikingly similar offences of unlawfully obtaining and selling personal data. Mr Tandon emailed the personal information of 551 Lex Autolease (where he worked) customers relating to road traffic accidents to his private email address. This was reportedly to sell on the information for personal injury claims, and he was fined £500 for his DPA breach.

Sources:

https://ico.org.uk/action-weve-taken/enforcement/lesley-severs-and-kayleigh-billington/

https://ico.org.uk/action-weve-taken/enforcement/karun-tandon/

“The Northamptonshire PCC data breach” – Adam Simmonds is charged for disclosing confidential information

“Three are losing customer trust” – Three mobile customers aren’t happy following the data breach