Last reviewed 13 January 2021

An employee of the RAC has been sentenced to eight months' imprisonment, suspended for two years, in a prosecution brought by the Information Commissioner’s Office (ICO), only its second under the Computer Misuse Act.

Kim Doyle, who transferred personal data to an accident claims management firm without authorisation, pleaded guilty to charges of conspiracy to secure unauthorised access to computer data, and to selling unlawfully obtained personal data.

Manchester Crown Court heard that Ms Doyle compiled lists of road traffic accident data including partial names, mobile phone numbers and registration numbers despite having no permission from her employers.

An ICO investigation found that she unlawfully transferred the data to William Shaw, the director of an accident claims management firm, TMS (Stratosphere), trading as LIS Claims.

There is evidence this data was used to make nuisance calls.

Mr Shaw was also sentenced to eight months' imprisonment, suspended for two years, after pleading guilty to conspiracy to secure unauthorised access to computer data.

They were both ordered to carry out 100 hours unpaid work and contribute £1000 costs.

The offence came to light when Arval, a fleet management company, alerted RAC to nuisance calls to one of its drivers about an accident in which he had been involved.

Arval suspected there may have been a data leak from RAC, which had carried out recovery of its driver’s vehicle.

This prompted the RAC to perform a data leakage scan of its Outlook mailboxes, where it found details which led it to discover Ms Doyle had been compiling unauthorised lists of data.

Mike Shaw, who leads the Criminal Investigations Team at the ICO, said: “These criminal acts have a detrimental impact on the public and businesses. Once the data is in the hands of claims management companies, people are subjected to unwanted calls which can in turn lead to fraudulent personal injury claims”.

A Confiscation Order, under the Proceeds of Crimes Act, to recover benefit obtained as a result of the offending has been given by the Court in which Ms Doyle must pay a benefit figure of £25,000 and Mr Shaw must pay a benefit figure of £15,000.

Both will face three months' imprisonment if the benefit figures are not paid within three months.

Comment from BrightHR’s CEO Alan Price

Depending on the facts, cases of data breaches may lead to employers being found to have been vicariously liable.

Hence, employers are now likely to become more vigilant about their employees' work activities, especially those who work with personal data.

Not only that but the pandemic, with millions now forced to work from home, may greatly exacerbate the need for employers to find ways to better monitor staff activities and the handling of personal data files to avoid implication where a member of staff commits a data breach.