A former rogue manager at a Merseyside branch of the car rental company Enterprise Rent-A-Car has been prosecuted by the Information Commissioner’s Office (ICO) after unlawfully stealing the records of almost two thousand customers before selling them to a claims management company.

Appearing at Wirral Magistrates Court today, [Age, name redacted] was prosecuted under section 55 of the Data Protection Act and fined £500, ordered to pay a £50 victim surcharge and £264.08 prosecution costs.

Enterprise Rent-A-Car alerted the ICO after its security systems showed an irregularity. Acting on this information, the ICO then raided a claims management company based in the Liverpool area. The raid resulted in over 500 records being recovered relating to car hire arranged by Enterprise Rent-A-Car on behalf of insurance companies whose customers had been involved in a recent accident.

The records were traced to [Name redacted], who had used his position as manager of the rental firm’s Southport branch to print the customers’ details. The ICO was able to establish that [Name redacted] printed the details of more than 1900 people between 14 October 2011 and 4 November 2011. All of the documents related to customers involved in road traffic incidents.

[Name redacted] passed the information to the claims management company who then contacted many of the individuals about potential personal injury claims. Neither Enterprise Rent-A-Car nor its customers gave permission for their information to be passed on.

The claims management company remains under investigation by the ICO and so cannot be named at this time.

ICO Head of Enforcement, Stephen Eckersley, said:

“This man was motivated by greed. [Name redacted] betrayed his employer and exploited over 1900 customers for personal gain. Staff at Enterprise Rent a Car acted swiftly in notifying us of their concerns and we were then able to protect other potential victims.

“Data theft is not a victimless crime and many of the people targeted by [Name redacted] and the claims management company will have received nuisance calls offering to pursue a personal injury claim. [Name redacted] was happy to exploit people after they had recently had an accident, when they may have already been suffering mentally and physically. He is now facing the consequences of his crimes.”

Unlawfully obtaining or accessing personal data is a criminal offence under section 55 of the Data Protection Act 1998. The offence is punishable by way of ‘fine only’ - up to £5,000 in a Magistrates Court or an unlimited fine in a Crown Court. The ICO continues to call for more effective deterrent sentences, including the threat of prison, to be available to the courts to stop the unlawful use of personal information.

Notes to Editors

1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

3. The ICO is on TwitterFacebook and LinkedIn, and produces a monthly e-newsletter.

4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection

5. If you need more information, please contact the ICO press office on 0303 123 9070.