A former company director found guilty of illegally obtaining people’s personal data and selling it to solicitors chasing personal injury claims, has been fined for breaches of data protection and issued with a confiscation order under the Proceeds of Crime Act 2002.

David Cullen of Middleton Road, Manchester, was the managing director of No1 Accident Claims Limited based on Oxford Road, Manchester from 4 March 2010 until 20 December 2012 when the company was liquidated. The business profited from selling illegally obtained personal data to solicitors. The data, belonging to people who had been in road accidents, could then be used to pursue personal injury claims.

Appearing before Manchester Crown Court on 24 June 2019, Cullen was fined £1,050 and ordered to pay £250 costs. He was disqualified from being a company director for five years and an order was made for the forfeiture and destruction of items which were seized as part of a search warrant in 2012. During the raid on Cullen’s business a number of computer devices and documents were seized containing the unlawfully obtained data.

Following sentencing, confiscation under the Proceeds of Crime Act 2002 commenced. The exact figure which Cullen is believed to have benefited from during his illegal activities is £1,434,679.60. Due to a lack of assets, the Court proceeded by making a £1 nominal order. Cullen’s financial circumstances will be regularly reviewed, and should they improve, the amount of the confiscation order can be increased.

Michael Shaw, Group Manager – Enforcement at the ICO said:

“The volume of confidential personal information found in Cullen’s possession showed his blatant disregard of people’s right to privacy and our data protection laws.

“The confiscation order under the Proceeds of Crime Act is a warning shot to anyone using or thinking about using personal data illegally. We can and will take action which can have a huge effect on your personal life including confiscating assets and earnings – whatever they may be.”

Cullen pleaded guilty to 21 charges of unlawfully obtaining and selling personal data in breach of s55 of the Data Protection Act 1998, when he appeared before Manchester City & Salford Magistrates Court on 27 September 2018.

Notes to Editors

  1. The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  2. The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five Acts / Regulations.
  3. The ICO’s prosecution policy can be found here.
  4. The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
  5. A limited number of criminal prosecutions – including this case - are still being dealt with under the provisions of the Data Protection Act 1998 because of when the offence occurred.
  6. Criminal prosecution penalties are set by the courts and not by the ICO. The maximum penalty for criminal offences under both the Data Protection Act 1998 and the new 2018 Act is an unlimited fine.
  7. To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.