Understanding the Consequences of Personal Data Misuse Under the Computer Misuse Act 1990 (CMA)
The Serious Consequences of Unlawfully Accessing Personal Data
For years, the Information Commissioner’s Office (ICO) has emphasized the importance of protecting personal data, holding organisations and individuals accountable for breaches. However, a recent case serves as a stark warning—unauthorised access to personal data can lead to serious legal consequences, including imprisonment.
A Landmark Prosecution
In a significant move, the ICO prosecuted Rizwan Manjra, a former senior employee at Markerstudy Insurance Services Limited (MISL) in Manchester, under the Computer Misuse Act 1990 (CMA). Manjra unlawfully accessed over 32,000 insurance policies, many unrelated to his job, and shared personal data with an unidentified third party. His actions were deliberate, systematic, and in clear violation of data protection laws.
Following an internal investigation by MISL, a search of Manjra’s home uncovered multiple mobile phones and a laptop used to transmit sensitive information. At Manchester Crown Court, he was found guilty of accessing 160 insurance claims without a legitimate reason. Evidence revealed that he sent personal details—including names, vehicle registrations, and accident information—to a contact who encouraged him to “keep them coming.”
A Strong Message from the ICO
This case marks a pivotal moment in the ICO’s enforcement strategy. Traditionally, regulatory actions such as fines and notices have been the primary means of ensuring compliance. However, when data misuse crosses into criminality, the ICO has demonstrated its willingness to pursue prosecution under the CMA.
Andy Curry, Interim Director of Enforcement and Investigations at the ICO, reinforced this stance, stating:
“Manjra abused the trust placed in him and sought to exploit personal information for his own ends. We will take action to protect UK businesses and the public from threats to their personal data. Today’s outcome should serve as a strong deterrent to others considering similar actions.”
A Warning for Employees and Organisations
This case underscores the importance of data protection, not just as a regulatory issue but as a matter of criminal law. Employees must understand that access to personal data is a privilege granted solely for their job responsibilities. Misuse can result in criminal charges, career destruction, and severe legal penalties.
Manjra’s defence team revealed that he did not receive financial compensation for his actions but acted under pressure from loan sharks threatening him. This admission highlights the disturbing reality that criminal networks recognise the value of personal data and will go to great lengths to obtain it.
On 11 December 2024, Manjra was sentenced to six months in prison (suspended for two years) and ordered to complete 150 hours of unpaid work. His case serves as a crucial reminder for businesses to monitor internal systems, implement robust controls, and audit access to sensitive information to prevent data misuse.
Comments