Sign-up to a data breach claim today - use our quick and easy form to begin your claim for thousands of pounds in compensation.
The Information Commissioner’s Office (ICO) has prosecuted two employees, Lesley Severs and Kayleigh Billington, who worked at a claims management company. They both had access to data that was reportedly illegally obtained from another company, to go on to use the personal data to make calls to insurers.
The personal data in question included information about policy holders and their recent or historic road traffic accidents. The personal data would’ve no doubt included names, addresses, vehicle identification numbers, dates of birth, and so on.
Both employees had been employed at UK Claims Organisation Ltd to make calls to insurance companies in order to obtain personal information. The aim of this was then to sell on personal injury cases to solicitors. It’s unknown whether the employees had knowledge of the unlawfully obtained data, but their deceit was magnified by the fact that they had used the personal data to obtain more information.
The Data Protection Act (DPA) and its principles provide that a subject, with whom the data belongs to, shall have full authority of how and what the data is being processed and used for. Anyone handling personal data is named as a data controller, and being a data controller carries serious legal responsibilities. A data controller effectively keeps or processes information about data subjects.
The first thing to note is that the information obtained from the car hire company was done so unlawfully. The data controller of that company was responsible for keeping that personal data private, but they failed to do so.
Secondly, a data processor is an individual or entity that processes personal data but doesn’t necessarily control the data. The employees at UK Claims Organisation are arguably data processors. Although data processors have limited responsibilities under the DPA, the employees’ acts constitutes to an unlawful processing of data. They didn’t have the authority to use the data in the manner that they did.
With DPA breaches, there can be penalties and compensation. If a company or an organisation breached their DPA responsibilities, they can be fined by the ICO, as the case is here. Their powers include:
The most common action that the ICO takes is imposing a monetary penalty on individuals and companies. When the EU General Data Protection Regulation (GDPR) is enforced from 2018, offending organisations will probably face a dramatic increase in fines. Although employees breached the DPA in this case, the EU GDPR highlights the importance on companies and organisations to take responsibility for their employees.
Ms Billington pleaded guilty to eight offences, with a fine of £320, £250 in costs, and a victim surcharge of £20. Ms Severs pleaded guilty to five offences, with a fine of £250, £400 in costs, and also a £20 victim surcharge.
These breaches of personal data is not a rare occurrence. Just recently, Karun Tandon was guilty for strikingly similar offences of unlawfully obtaining and selling personal data. Mr Tandon emailed the personal information of 551 Lex Autolease (where he worked) customers relating to road traffic accidents to his private email address. This was reportedly to sell on the information for personal injury claims, and he was fined £500 for his DPA breach.
EasyJet admits data of nine million hacked
British Airways data breach: How to claim up to £6,000 compensation
Are you owed £5,000 for the Virgin Media data breach?
Virgin Media faces £4.5 BILLION in compensation payouts
BA customers given final deadline to claim compensation for data breach
Shoppers slam Morrisons after loyalty points stolen
Half a million customers can sue BA over huge data breach
Lawyers accuse BA of 'swerving responsibility' for data breach
The biggest data breaches of 2020