21 January, 2021
Craig MacKenzie has recently acted for an individual charged with breaches of data protection law brought before the Manchester Crown Court. The case has received a significant amount of media interest and highlights the significance of data protection law and the potential consequences of criminal prosecution.
Craig MacKenzie led the multi-disciplinary regulatory team in this case and was assisted greatly by 'up and coming' trainee solicitor Katie Lee and POCA lawyer Kieran Kennedy.
The defendants were prosecuted by the Information Commissioners Office, the governing body responsible for the enforcement and regulation of the Data Protection Act 1998. The offences were committed between September 2017 and March 2018 relating to the unauthorised access to data belonging to RAC Motoring Services. The charges involved conspiracy to commit unauthorised access to personal data, contrary to S1 of the Computer Misuse Act 1990 (the CMA) with a further charge of selling data, an offence contrary to S55(4) of the Data Protection Act 1998 (the DPA).
A conspiracy to commit an offence constitutes an agreement between parties to commit a criminal act. The law states that it is an offence to use a computer device to perform a function with intent to cause access to a program or data which the accused knows is unauthorised. S55 of the Data Protection Act 1998 also makes it an offence for someone to access personal data from another without their consent.
One Defendant was a long-standing employee at RAC, which for the purposes of the DPA are classified as a data controller. This Defendant was responsible for sending information relating to 4,576 RAC customers to a co-defendant who used the data to source work for his claim's management company. The allegations covered a period of 5 months. The data was obtained remotely, without consent, in return for payments totalling £13,500.
After an early guilty plea by the first defendant and a later guilty plea by the second, they appeared before Manchester Crown Court on the 8th January 2021 for sentencing. The Judge made it clear from his remarks that the only appropriate sentence for the matter would be a custodial sentence, given the nature and the gravity of the offences.
The Judge alluded to several aggravating factors which would make an immediate custodial sentence likely, namely that:
However, mitigation on the defendant's behalf enabled the Judge to suspend an immediate custodial sentence. The Judge gave the defendant full credit for an early guilty plea and recognised the that the Defendant was of a good character, had a good job, and aside from current charges, is an individual who is well respected by others. References from well-respected individuals were also obtained and provided to the court for further assurance. The Defendants had also agreed to settle and pay back the remaining funds and additional fees incurred by the RAC to undertake their investigations.
The overall sentence compromised an 8-month custodial sentence but suspended with a requirement to undertake 100 hours of unpaid work. They were also ordered to pay £1,000 towards costs.
The ICO had originally sought to use powers under the Proceeds of Crime Act to instigate confiscation proceedings following sentence. Those proceedings were ultimately avoided in this case following negotiations between the parties. Confiscation Orders were agreed in the sums of £15,000 and £25,000.
The case has been heavily reported in the national press, and the sentence reflects a focused and forthcoming approach from regulatory bodies to investigate and prosecute breaches. Cases of this nature highlight a catastrophic impact and risk placed on both the public and businesses at large. More resources are being put into place to locate and track individuals who are accessing information without consent, and charges will be brought against individuals, even if they are unaware that their actions may be criminal.
The case has been widely reported: