ICO: former company director showed 'blatant disregard of people's right to privacy and our data protection laws'

David Cullen of Middleton Road, Manchester, was the managing director of No1 Accident Claims Limited based on Oxford Road, Manchester from 4 March 2010 until 20 December 2012 when the company was liquidated. The business profited from selling illegally obtained personal data to solicitors. The data, belonging to people who had been in road accidents, could then be used to pursue personal injury claims.

Mr Cullen appeared before the Crown Court in Manchester for sentencing on 24 June 2019. He had previously pleaded guilty to 21 charges of unlawfully obtaining and selling personal data contrary to section 55 of the Data Protection Act 1998. This legislation is no longer in force but was the law which was in force at the time of Mr Cullen’s offences. Prosecutions can still take place based on the old legislation depending on the timing of the offences.

Mr Cullen was reportedly fined £1050 and ordered to pay £250 in costs.

Michael Shaw, Group Manager Enforcement at the ICO said:

“The volume of confidential personal information found in Cullen’s possession showed his blatant disregard of people’s right to privacy and our data protection laws.

The confiscation order under the Proceeds of Crime Act is a warning shot to anyone using or thinking about using personal data illegally. We can and will take action which can have a huge effect on your personal life including confiscating assets and earnings whatever they may be.„

Mr Cullen was also subject to a confiscation order pursuant to the Proceeds of Crime Act 2002. He is believed to have benefited to the tune of £1,434,679.60 from his offences. However, notably, he was only ordered to pay the nominal sum of £1, due to a lack of assets. This is apparently subject to increase should his financial circumstances improve.

In July 2015, Andrew Skelton, a former senior IT auditor at Morrisons, was also convicted of an offence contrary to section 55 Data Protection Act 1998 (amongst other offences) and was sentenced to a term of eight years imprisonment. Mr Skelton unlawfully disclosed the payroll data of almost 100,000 Morrisons employees (including salaries, National Insurance Numbers, dates of birth and bank account details) on the internet and sent it to several newspapers. The prosecuting authority was CPS West Yorkshire, as opposed to the ICO.

The prosecution of Mr Cullen demonstrates that, in addition to the police and the CPS, the ICO has the power to investigate and prosecute people who illegally misuse personal data. In May 2018, the ICO published its prosecution policy statement. November 2018 saw the first prison sentence handed down as a result of a criminal prosecution by the ICO.

Although it might be said that the sanctions imposed on Mr Cullen were not particularly severe, the ICO has previously stated that it will “push the boundaries„ in order to protect individuals’ rights.