Don’t let GDPR confuse you: both companies and individuals can be convicted for illegally obtaining and sharing data under legislation that already exists.
In December 2017, a firm of loss adjustors, Woodgate & Clark Ltd, as well as individuals it employed, were convicted of offences under Section 55 of the Data Protection Act 1998.
The offences occurred after the firm were asked by lawyers to investigate an insurance claim following a fire at a nightclub. The director instructed private investigators to assist in the investigation by obtaining personal data about the financial position of the nightclub’s owner; the Court was told that the director would have known this data would not be obtainable by legal means.
The charges concerned the obtaining of information from Barclays and Santander banks including mortgage details and bank balances. This information, obtained by the private investigators, was passed on to Woodgate & Clark and then disclosed by a director to the law firm.
The director, alongside a senior loss adjustor from the firm and two private investigators, were convicted as individuals of both unlawfully obtaining personal data and unlawfully disclosing the data. Woodgate & Clark Ltd as a company was also convicted of unlawfully disclosing the data.
The Head of Enforcement at the ICO, said: “The illegal trade in confidential personal information threatens people’s privacy and security and it’s right that the actions of those involved should be punished.”
This case demonstrates the willingness of the ICO to prosecute criminal cases and means all businesses should review their approach to data protection.
Sentences in the case were handed out on Friday, 5th January 2018, and the fines totalled £185,000. The director and senior loss adjuster, as individuals, were fined £75,000 and £30,000 respectively; as a business, Woodgate & Clark Ltd were fined £50,000, and the two private detectives were fined £20,000 and £10,000.
Whilst the maximum penalty is a fine, offences of this kind clearly carry serious reputational damage and, for some, regulatory implications.