ICO Prosecution of Employee for Improper Use of Personal Data

In a case brought before the Information Commissioner's Office (ICO), an employee within the motor industry has been prosecuted for appropriation and misuse of personal data under the Computer Misuse Act 1990.


An employee working for RAC sold data on road traffic accidents to an accident claims management firm, which used the data to make nuisance calls. The data included partial names, mobile phone numbers and car registration numbers. This was, of course, without the employer's permission and the breaches came to light when a fleet management company alerted RAC of a possible leak following an accident involving one of its drivers.

The employee pleaded guilty to charges of conspiring to secure unauthorised access to personal data and selling unlawfully obtained data.


The employee was sentenced to 8 months imprisonment, suspended for 2 years.

The Director of the accident claims management firm, who was the recipient of the illegally transferred data, was also sentenced to 8 months' imprisonment, suspended for two years after pleading guilty to conspiracy to secure unauthorised access to computer data.

Both were also ordered to carry out 100 hours unpaid work and contribute £1,000 costs.

Previous Decisions

The ICO previously sentenced an employee to six months' imprisonment in a similar case where the employee worked for Nationwide Accident Repair Services and secured unauthorised access to personal data.

In 2019, an employee of the Heart of England NHS Foundation Trust was fined £1,000, with a £50 victim surcharge, and ordered to pay £590 towards prosecution costs. This was as a result of her viewing, without authorisation or other business need, records of her family members and children she knew.

Notes for Employers

This is an important reminder that employers must ensure that they have adequate Data Protection policies in place and appropriate protections for those who disclose suspected breaches. If employers suspect that there has been a breach of personal data, they must notify the ICO as soon as possible.