The director of an accident claims company has been fined for inventing a crash in order to trace the owner of a private number plate he wanted to buy.
[Name, age redacted], a director of Bristol-based Accident Claims Handlers Ltd, sent official forms to the DVLA requesting the identity of the registered keeper of a 4x4 which he claimed had been involved in a collision in the city.
The owner of the 4x4 subsequently received a letter at his home from the defendant, offering to buy his private registration plate, W1 DOW. He complained to the DVLA and an internal investigation revealed [Name redacted] had used subterfuge in order to obtain his name and address.
The owner of the plate lived in Huddersfield, West Yorkshire, and said he had never been to Bristol in his life. Police ANPR cameras later confirmed the vehicle was not in the area at the time of the alleged crash. The DVLA reported the matter to the Information Commissioner’s Office (ICO).
[Name redacted] admitted a charge of breaching s55 of the Data Protection Act 1998 by unlawfully obtaining personal data when he appeared at Bristol Magistrates’ Court. The defendant, of Whiteshill, Hambrook, Bristol, was fined £335 and was ordered to pay £364.08 costs and a victim surcharge of £33.
ICO Head of Enforcement Steve Eckersley said:
“This was an unusual case in many ways, but one which demonstrates the lengths some people will go to in order to get hold of personal information.
“Unlawfully obtaining people’s personal data is a criminal offence and the ICO will not hesitate to take action through the courts to uphold the law and protect people’s rights.”
Notes to Editors
- The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
- The General Data Protection Regulation (GDPR) is a new law that will replace the Data Protection Act 1998 and will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
- The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit. The ICO has the power to impose a civil monetary penalty on a data controller of up to £500,000. Criminal prosecutions under s55 of the Data Protection Act can attract an unlimited fine.
- Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
- fairly and lawfully processed;
- processed for limited purposes;
- adequate, relevant and not excessive;
- accurate and up to date;
- not kept for longer than is necessary;
- processed in line with your rights;
- secure; and
- not transferred to other countries without adequate protection.
- Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by the Information Commissioner’s Office (ICO).
- To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns