A former Management Trainee at Enterprise Rent-A-Car UK Limited (“Enterprise Rent-A-Car”) has been ordered to pay a fine after admitting he illegally obtained customer data between 18 March 2019 and 1 April 2019.
Initial concerns were raised after Shairaz Saleem, 42, visited his workplace in West Yorkshire outside of his scheduled hours on Sunday 31 March 2019. An internal audit found he’d spent 32 minutes accessing 39 records of customer data in relation to 25 different rental branches.
Following this, Enterprise Rent-A-Car conducted an internal investigation which found Saleem had accessed a number of records containing personal data during the offending period in 2019. He was dismissed for gross misconduct shortly thereafter. The number of records considered to have been unlawfully accessed was at least 213.
The company did not consent to Saleem obtaining this data, stating that accessing this information fell outside of his role and there was no business need for him to do so.
Enterprise Rent-A-Car referred the case to the Information Commissioner’s Office, who launched a criminal investigation into Saleem.
Saleem appeared at Huddersfield Magistrates’ Court on Monday 13 May where he pleaded guilty to unlawfully obtaining data contrary to section 170 DPA 2018. He was ordered to pay a fine of £265, costs of £450 and a victim surcharge of £32.
Head of Investigations Andy Curry said
“Just because your job may give you access to other people’s personal information, it doesn’t mean you have the legal right to look at it whenever you like.
“This is an invasion of customer privacy by Saleem, who abused the trust that his employer placed in him, and which had the potential to jeopardise the broader company reputation.
“Unfortunately, these incidents cannot always be avoided due to some people having malign intent. Organisations can, however, put measures in place to mitigate occurrences by, as Enterprise Rent-A-Car did, having internal audit arrangements in place and ensuring staff are educated about data protection and information governance responsibilities, and how to handle people’s data responsibly. Those looking for more information can also visit our website.”
Notes to editors
- No additional evidence was found to show Mr Saleem had sold the data or made any financial gain; therefore, the charge is for unlawfully obtaining the data.
- The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals. It has its head office in Wilmslow, Cheshire, and regional offices in Edinburgh, Cardiff and Belfast.
- The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five Acts / Regulations.
- The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
- To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.