Fines imposed for unlawful trading in customer personal data

The Information Commissioner has reiterated his call for stronger sentencing powers for people convicted of stealing personal data. His comments come after a former car rental company employee was convicted for unlawfully obtaining, disclosing and selling personal data, in the form of customer records.

While working from home as an administrative assistant for Enterprise Rent-A-Car, the defendant photographed on-screen customer records received from an insurance company. These included policyholder and claim information, typically concerning individuals involved in road traffic accidents. She sold copies of 28,000 records for £5,000 in cash to a man she claimed to have met after he approached her husband in a pub. The buyer of the records was also convicted under data protection legislation.

This serves as a reminder that businesses must put in place appropriate technological and organisational security measures to comply with data protection legislation. They should train staff on the importance of protecting personal data and ensure that they understand the dangers of unlawfully obtaining, disclosing, buying or selling personal data, for example, by alerting their staff to the risks of people trying to obtain personal data by deception.