A motor industry employee who was sentenced to six months in prison in November 2018 for accessing personal data without permission, has been ordered to pay a £25,500 confiscation order in a case brought by the Information Commissioner’s Office (ICO).

Following a hearing at Wood Green Crown Court, London on 15 July, the judge determined Mustafa Kasim of Palmer’s Green benefited from thousands of pounds as a result of the offences.

Kasim had previously worked for accident repair firm Nationwide Accident Repair Services (NARS) and accessed thousands of customer records containing personal data, without permission. He used his colleagues’ log-in details to access a software system that estimates the cost of vehicle repairs, known as Audatex.

He continued to do this after he started a new job at a different car repair organisation which used the same software system. The records contained customers’ names, phone numbers, vehicle and accident information.

This led to an investigation by the ICO and, in November 2018, he became the first person to be imprisoned following an ICO prosecution, which was brought under the Computer Misuse Act.

Mike Shaw, Group Manager Enforcement at the ICO said:

”Our investigations found that Mr Kasim had benefitted financially from his illegal activity. As a result of his activities, people whose data had been stolen received cold calls and his former employer faced huge remedial costs.

“Personal data obtained in this way can be a valuable commodity and selling it may seem like an easy way to make money but the penalties can be severe. The outcome of this case should serve as a deterrent to others.”

Kasim has three months to pay the confiscation order under the Proceeds of Crime Act 2002 or could face a 12 month prison sentence. He was also ordered to pay £8,000 costs.

Notes to Editors

  1. The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  2. The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five Acts / Regulations.
  3. The ICO’s prosecution policy can be found here.
  4. The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
  5. A limited number of criminal prosecutions – including this case - are still being dealt with under the provisions of the Data Protection Act 1998 because of when the offence occurred.
  6. Criminal prosecution penalties are set by the courts and not by the ICO. The maximum penalty for criminal offences under both the Data Protection Act 1998 and the new 2018 Act is an unlimited fine.
  7. To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.