For the first time the ICO have successfully brought a prosecution case forward that has resulted in a prison sentence.
Mustafa Kasim worked for an accident repair firm called Nationwide Accident Repair Services (NARS). NARS use a software system to host the personal data of thousands of their customers. After leaving NARS to work elsewhere, Kasim maintained access to the software by using a former colleagues' log-in details. NARS realised that Kasim was still accessing the data after customers began complaining about nuisance calls; the ICO soon became involved.
The ICO generally prosecute cases of this kind under the Data Protection Act 1998 or 2018 (DPA). These cases generally result in a relatively small fine. On this occasion, however they deemed it appropriate to exercise their powers under the Computer Misuse Act 1990, which resulted in Kasim being sentenced to 6 months imprisonment.
In the wake of GDPR, it appears that the ICO will be more willing to use the full range of legislation at their disposal in order to deter future data breaches.
Members of the public and organisations can be assured that we will push the boundaries and use any tool at our disposal to protect their rights.