Fines totally £73,000 against two former T-mobile employees raises some interested issues about data protection prosecutions. The two were fined for theft of customer data. This took the form stealing customer data, including contract renewal dates, which was then passed to a company set up by the former T-Mobile marketing manager. There was an attempt to launder the data, with the addition of other non-T-Mobile customers, which was then sold on to marketing companies. Over half a million of such records were sold. Many T-Mobile customers will have experienced calls, usually from abroad, claiming to be from the company and asking about their contract renewal.
The ICO (Information Commissioner’s Office) took the lead in the prosecution. An interesting aspect of this was that the fines were made under the Proceeds of Crime Act for confiscation costs, rather than a fine under the DPA (Data Protection Act). The culprits received sentences up to 18 months, which were suspended on the condition of the fines being paid. It would seem that the ICO and the courts are now taking the issue of data protection seriously. Prior to the end of May this year, the maximum fine for a breach of PECR was £5000, and it would seem a similar amount under the DPA. Since 25th May 2011, fines under PECR and DPA are now £500,000.
There is no connection between this case and the epidemic of accident claims texts; the stolen data was specific to T-Mobile whereas the claims texts appear to be across all of the UK operators. Although the T-Mobile case involved theft of information (DPA) and the accident claims messages are a breach of permissions (PECR) it is good to see that the courts are taking these kinds of breaches more seriously.