ICO fines two employees for a data breach when they used personal data wrongfully
cyber-attacks on UK councils

ICO fines two employees for a data breach when they used personal data wrongfully

Sign-up to a data breach claim today - use our quick and easy form to begin your claim for thousands of pounds in compensation.

Start Your Claim
Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy

solicitors regulation authority

The Information Commissioner’s Office (ICO) has prosecuted two employees, Lesley Severs and Kayleigh Billington, who worked at a claims management company. They both had access to data that was reportedly illegally obtained from another company, to go on to use the personal data to make calls to insurers.

The personal data in question included information about policy holders and their recent or historic road traffic accidents. The personal data would’ve no doubt included names, addresses, vehicle identification numbers, dates of birth, and so on.

Both employees had been employed at UK Claims Organisation Ltd to make calls to insurance companies in order to obtain personal information. The aim of this was then to sell on personal injury cases to solicitors. It’s unknown whether the employees had knowledge of the unlawfully obtained data, but their deceit was magnified by the fact that they had used the personal data to obtain more information.

How does the employees’ actions breach the DPA?

The Data Protection Act (DPA) and its principles provide that a subject, with whom the data belongs to, shall have full authority of how and what the data is being processed and used for. Anyone handling personal data is named as a data controller, and being a data controller carries serious legal responsibilities. A data controller effectively keeps or processes information about data subjects.

The first thing to note is that the information obtained from the car hire company was done so unlawfully. The data controller of that company was responsible for keeping that personal data private, but they failed to do so.

Secondly, a data processor is an individual or entity that processes personal data but doesn’t necessarily control the data. The employees at UK Claims Organisation are arguably data processors. Although data processors have limited responsibilities under the DPA, the employees’ acts constitutes to an unlawful processing of data. They didn’t have the authority to use the data in the manner that they did.

Consequences of a breach of the DPA

With DPA breaches, there can be penalties and compensation. If a company or an organisation breached their DPA responsibilities, they can be fined by the ICO, as the case is here. Their powers include:

  • Monetary penalty notices: imposing fines of up to £500,000.
  • Prosecutions: possible prison sentences.
  • Undertakings: companies and organisations will have to promise to do a particular action to show they’re complying with the DPA.
  • Enforcement notices: companies and organisations may have to do certain things to comply with the law.
  • Audit: make unannounced inspections of governmental departments.

Most common penalty: monetary fines

The most common action that the ICO takes is imposing a monetary penalty on individuals and companies. When the EU General Data Protection Regulation (GDPR) is enforced from 2018, offending organisations will probably face a dramatic increase in fines. Although employees breached the DPA in this case, the EU GDPR highlights the importance on companies and organisations to take responsibility for their employees.

Ms Billington pleaded guilty to eight offences, with a fine of £320, £250 in costs, and a victim surcharge of £20. Ms Severs pleaded guilty to five offences, with a fine of £250, £400 in costs, and also a £20 victim surcharge.

These breaches of personal data is not a rare occurrence. Just recently, Karun Tandon was guilty for strikingly similar offences of unlawfully obtaining and selling personal data. Mr Tandon emailed the personal information of 551 Lex Autolease (where he worked) customers relating to road traffic accidents to his private email address. This was reportedly to sell on the information for personal injury claims, and he was fined £500 for his DPA breach.


Start Your Claim

You can call our claims team free from a landline or mobile on 0800 634 7575 or click on the link below to create a call back with one of our expert Data Claims team.Information on how we handle your data is available in our Privacy Policy.

We offer genuine No Win, No Fee agreements for our clients. Why we do this is simple:

Leading Data Breach Lawyers
Our experience speaks for itself.
We will fight for your right to compensation.
Access to Justice
As a victim of a data breach or hack, you deserve your chance to get access to justice.
Risks Assessment
We carefully risk assess your case and take it on if we think we have a good chance of winning the claim.

Request A Callback From Our Team

Fill out our quick call back form below and we'll contact you when you're ready to talk to us.

Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy

solicitors regulation authority

Contact is © of Your Lawyers Limited - we are 'Authorised and Regulated by the Solicitors Regulation Authority (SRA number 508768)'
arrow-up icon