ICO acting against eight individuals over alleged theft of road traffic accident data from garages

The Information Commissioner’s Office (ICO) has commenced criminal proceedings against eight individuals over the alleged unlawful accessing and obtaining of people’s personal information from vehicle repair garages to generate potential leads for personal injury claims.

The alleged activity took place across the UK between 1 December 2014 and 30 November 2017. The defendants are alleged to have conspired together to access and obtain the personal data of hundreds of thousands of individuals without the consent of the companies concerned.

The defendants will now face prosecution for conspiring to commit an offence under section 1 of the Computer Misuse Act 1990, relating to the alleged unlawful accessing of personal data held on computers, and conspiring to commit an offence under section 55 of the Data Protection Act 1998, relating to the alleged unlawful obtaining of personal data.

This prosecution follows a complex and wide ranging criminal investigation by the ICO. The first hearing will take place at Manchester and Salford Magistrates Court on 27 October 2022.

The ICO will not be commenting further on these proceedings at this time.

Notes to editors

1. The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals. It has its head office in Wilmslow, Cheshire, and regional offices in London, Edinburgh, Cardiff and Belfast. 
2. The  ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the UK General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations. 
3. The ICO can take action to address and change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit. 
4. Due to the offences pre-dating the implementation of the current Data Protection Act in May 2018, the relevant legislation is the Data Protection Act 1998.
5. To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.