One of the UK’s largest mobile phone networks was left embarrassed after an individual managed to gain access to its confidential information. The individual, a company director, was fined for illegally assessing one of Everything Everywhere's (EE) customer databases.
Matthew Devlin, a director of three marketing and telecoms companies, gained access to the details of when EE's customers were due a mobile phone upgrade by impersonating a member of the operators’ security team during calls and emails to legitimate mobile phone distributors. He succeeded in obtaining the log-in details and password to EE's database and targeted customers with services offered by his own telecoms companies. He was fined £500, plus £438.63 costs and an £50 victim surcharge.
The case was embarrassing for EE but it also demonstrates that even large organisations with significant resources are vulnerable to breaches of data security. SMEs need to be particularly cautious as to how they protect data regulated under the Data Protection Act as significant fines exist if failings become evident.
The Data Protection Act 1998
The collection and use of personal data is primarily governed by the Data Protection Act 1998 (DPA). The Act applies to data controllers established in the UK, where personal data is processed in the context of that organisation. It affects virtually any business operating in the UK which holds information about individuals.
It is important for any business to comply with its data protection obligations since breaches of data protection laws can result in criminal as well as civil liability. Furthermore, failure to comply with the DPA can result in damaging adverse publicity as breaches of individual privacy are currently prone to attract media attention.
Criminal offences for breaches of the Data Protection Act
Unlawfully obtaining or accessing personal data is a criminal offence under s.55 of the DPA. Offenders are liable to a fine of a maximum of £5,000 if convicted summarily in a magistrate's court, and an unlimited fine if convicted on indictment in a Crown Court. Following the breach of EE's customer database, the Information Commissioner's Office (ICO) director Christopher Graham, with support from deputy Prime Minister Nick Clegg, called for sterner penalties for unlawful access of personal data, including the prospect of prison for the most serious cases.
Other breaches of the DPA also constitute criminal offences on the part of the data controller. Examples are breach of the obligation to notify or inform the Commissioner of any changes to registrable particulars, failure to comply with an information notice, a special information notice or an enforcement notice, or knowingly to make a false statement in response to an information notice.
Directors and other officers of companies may also be liable for prosecution. Where a company has committed an offence under the DPA with the consent or connivance of or due to any neglect on the part of an officer, the person will be guilty of the offence in addition to the company itself. The same applies to the members of a company that is managed by its members.
To avoid breaches of the DPA, businesses should ensure compliance with data protection laws on an ongoing basis. Procedures and policies are required in order to deal with matters such as data retention while systems should be in place to deal with complaints. For specialist advice about data protection obligations contact Peter Gourri today by email PGourri@rollingsons.co.uk or telephone 0207 611 4848.