The Information Commissioner’s Office has brought a successful prosecution against Mustafa Kasim, resulting in a six-month prison sentence which represents a ‘first’ in relation to a successful prosecution under the Computer Misuse Act on behalf of the ICO.

The ICO Outlines the Story:

“Mustafa Kasim, who worked for accident repair firm Nationwide Accident Repair Services (NARS), accessed thousands of customer records containing personal data without permission, using his colleagues’ log-in details to access a software system that estimates the cost of vehicle repairs, known as Audatex.

He continued to do this after he started a new job at a different car repair organisation which used the same software system. The records contained customers’ names, phone numbers, vehicle and accident information.”

NARS contacted the ICO when they saw a spike in complaints about nuisance calls. As a responsible data protection advocate, they were a little surprised by the level of complaint. The ICO investigated and found Kasim was in the wrong. They decided to use the Computer Misuse Act of 1990 over the Data Protection Acts of 1998 or 2018. The ICO concluded:

“People who think it’s worth their while to obtain and disclose personal data without permission should think again. Although this was a data protection issue, in this case we were able to prosecute beyond data protection laws resulting in a tougher penalty to reflect the nature of the criminal behaviour.

“Members of the public and organisations can be assured that we will push the boundaries and use any tool at our disposal to protect their rights.”