Anam Khan prosecutes the ICO’s first prosecution of a non-Data Protection Act offence which results in an immediate custodial sentence

The Information Commissioner’s Office is the UK’s independent body set up to uphold information rights. Traditionally, the ICO has prosecuted non-recordable offences under the old Data Protection Act 1998 (‘DPA’), the maximum penalty being a fine. With increased emphasis on the importance of keeping personal data safe and the recent overhaul of data protection legislation comes the ICO’s first prosecution of a non-DPA offence.

Instructed by the ICO, Anam Khan prosecuted Mr Kasim for an offence under the Computer Misuse Act 1990. Mr Kasim took advantage of the access he could gain via his employment to the road traffic accident records of thousands of customers. The data was sold to various third party companies primarily operating in the field of personal injury claims’ management. This criminality could have been dealt with by way of a fine-only DPA prosecution but that would not have properly reflected the level of criminality in this case.

On 12th November, His Honour Judge Perrins sitting at Wood Green Crown Court sentenced Mr Kasim to 6 months’ immediate custody, he declined to suspend Mr Kasim’s sentence on the basis that the offence was too serious and only an immediate custodial sentence could be justified.

HHJ Perrins determined that this was a case of persistent offending motivated by a need for money, including a gross breach of trust which had caused harm to a number of people and significant harm to Mr Kasim’s employer.

HHJ Perrins took into account the need to pass a deterrent sentence, which places greater emphasis on the importance of keeping personal data safe and secure in the current age. It sends a strong message to those carrying out similar operations – the punishment will be severe.

Whilst the action of prosecuting Mr Kasim for a non-DPA offence and the sentence passed on him marks a shift in public perception, unfortunately, this is not reflected in the new Data Protection Act 2018 where the maximum sentence for offences under the new Act is still a fine. The ICO appears to have innovated a solution but it is hoped that prosecutions and outcomes such as these will send a powerful message to the legislature – the need to reconcile public perception with the maximum sentence for DPA offences.

 Further details can be found here: