ICAEW.com works better with JavaScript enabled.

Case law: Employee sent to prison for accessing employer's data without permission

Employees tempted to access their employer or ex-employer's data without authorisation could face a prison sentence if the ICO decided to prosecute for hacking instead of obtaining data without consent, following a recent case.

December 2018

This update was published in Legal Alert - December 2018

Legal Alert is a monthly checklist from Atom Content Marketing highlighting new and pending laws, regulations, codes of practice and rulings that could have an impact on your business.

An employee of a motor repair company logged onto an IT system used by both his current and former employer using the password of an individual employed by his former employer. This gave him access to the personal data of thousands of customers of the former employer, including their names, phone numbers, car details and accident information. He used the data to make unsolicited sales calls to them in his new job.

His old employer became suspicious when there was an increase in complaints of nuisance phone calls from its customers. The employer discovered what he was doing and reported him to the Information Commissioner's Office (ICO) which is responsible for protecting individuals' personal data.

Although his conduct amounted to 'obtaining data without consent' under the Data Protection Act, the maximum penalty is a fine so, for the first time, the ICO decided to prosecute the employee for 'unauthorised access' (ie. hacking) under the Computer Misuse Act because of the ‘nature of the criminal behaviour’ involved. This offence carries a maximum prison sentence of two years. The ex-employee was sentenced to six months in prison.

Although the offender was an ex-employee, the ICO could also prosecute an existing employee for hacking if they accessed personal data from parts of their current employer's own IT system without authority.

Operative date

  • Now


  • Employees tempted to access their employer's or ex-employer's data without authorisation should be aware they could face a prison sentence, if the ICO decided to prosecute for hacking rather than obtaining data without consent

Disclaimer: This article from Atom Content Marketing is for general guidance only, for businesses in the United Kingdom governed by the laws of England. Atom Content Marketing, expert contributors and ICAEW (as distributor) disclaim all liability for any errors or omissions.

Copyright © Atom Content Marketing