Two former employees who worked at a UK based claims management company illegally obtained information from a car hire company and then used this information to blag calls to an insurance company to illegally obtain personal information of drivers.
They did this in order to try and sell this personal information to solicitors. We ourselves have never bought claims, and never will!
The information included policy holders information and their recent and/or historic road traffic accidents. Within that information, the policy holders’ names, addresses, and contact details would likely have been accessed too.
Ms L. Servers and Ms K. Billington were found by the Information Commissioners Office to have breached data protection laws.
The ICO is the regulator and enforcer of the data protection laws in the UK. They make sure that companies, organisations, and individuals comply with the Data Protection Act and its governing principles. They do not deal with compensation claims, which is where we come in though.
Ms Servers and Ms Billington breached DPA laws when they:
- Illegally obtained information – the DPA does not allow for unauthorised access to personal information. This responsibility is on the data controller and data processor. The car hire company and insurance company failed in their duty to protect the personal information they held and controlled. The two offenders breached their duty by misusing information they had no business using.
- Illegally used the personal information obtained – The offenders actively broke the law in directly misusing the personal information they obtained. Since the owners of the personal information had no idea Ms Servers and Ms Billington had access to it, they couldn’t give consent. Without that consent, anything the offenders did with the information was illegal.
Ms Billington pleaded guilty to 8 offences and was given a fine of £320, and then ordered to pay contribution costs of £250 and a victim surcharge of £20.
Ms Servers also pleaded guilty to her offences and was given a fine of £250, contribution costs of £400 and the same victim surcharge amount of £20.
The ICO has a range of enforcement powers when they find a breach of the Data Protection Act. This includes:
- A financial penalty fine; like with the two offenders above;
- An undertaking; where offenders promise to do things to prevent further breaches;
- Enforcement notices; where offenders do things to stop breaches;
- Custodial sentences; offenders can be given prison sentences for the most serious breaches.
In the past, the ICO has used a range of these enforcement measures on a lot of offenders. From the individual to giant multinational companies, the ICO is not afraid to do what is needed to punish data protection offenders. Hopefully those who hold or have access to personal data will see these enforcement actions as an incentive to make sure they do enough themselves to protect any information they have. Many companies, authorities, and individuals are not aware that they have an active duty to protect data. The more sensitive the information, arguably, the more is needed to protect it.
However, no matter how careful a company is, when it comes to deceptive individuals and highly equipped hackers, personal information does get out. But when that happen, victims don’t have to just sit by and tolerate it; they can seek help to recover compensation for any harm caused.