Context
The ICO has published an update announcing that two further individuals have been convicted following the ICOs extensive investigation into the unlawful accessing and sale of personal information obtained from over 400 garages across the UK, as well as claims management and insurance companies.
Key points to note and next actions
- The ICO initially started this investigation in 2016 when the owner of a car repair garage in County Durham contacted the regulator, saying he was worried his customers blamed him for the nuisance calls they were receiving about personal injury claims.
- From this first initial complaint, the investigation snowballed into one of the largest nuisance call cases that the ICO has ever dealt with, resulting in a wealth of evidence that demonstrated misuses of personal data for the purpose of making calls relating to personal injury claims.
- After identifying the people involved, the ICO investigations team conducted nine warrants in the Manchester and Macclesfield areas. The devices seized under search warrant contained 241,000 emails, 4.5 million documents,144,000 spreadsheets,1.5 million images and 83,000 multimedia files.
- The defendants were found to have conspired together between 2014 and 2017, where they accessed or obtained personal data of people from vehicle repair garages without their consent. Approximately one million records were accessed by the defendants convicted of an offence under the Computer Misuse Act.
- This data was then sold onto claims management firms hoping to generate potential leads for personal injury claims.
- The ICO has an ongoing second phase of their investigation and anticipate further prosecutions of people embedded into insurance companies and claims management companies with the sole aim of stealing personal data.