Information Commissioner's Office
Former company director believed to have profited by more than £1.4 million after selling personal data illegally
A former company director found guilty of illegally obtaining people’s personal data and selling it to solicitors chasing personal injury claims, has been fined for breaches of data protection and issued with a confiscation order under the Proceeds of Crime Act 2002.
David Cullen of Middleton Road, Manchester, was the managing director of No1 Accident Claims Limited based on Oxford Road, Manchester from 4 March 2010 until 20 December 2012 when the company was liquidated. The business profited from selling illegally obtained personal data to solicitors. The data, belonging to people who had been in road accidents, could then be used to pursue personal injury claims.
Appearing before Manchester Crown Court on 24 June 2019, Cullen was fined £1,050 and ordered to pay £250 costs. He was disqualified from being a company director for five years and an order was made for the forfeiture and destruction of items which were seized as part of a search warrant in 2012. During the raid on Cullen’s business a number of computer devices and documents were seized containing the unlawfully obtained data.
Following sentencing, confiscation under the Proceeds of Crime Act 2002 commenced. The exact figure which Cullen is believed to have benefited from during his illegal activities is £1,434,679.60. Due to a lack of assets, the Court proceeded by making a £1 nominal order. Cullen’s financial circumstances will be regularly reviewed, and should they improve, the amount of the confiscation order can be increased.
Michael Shaw, Group Manager – Enforcement at the ICO recently said:
“The volume of confidential personal information found in Cullen’s possession showed his blatant disregard of people’s right to privacy and our data protection laws.
“The confiscation order under the Proceeds of Crime Act is a warning shot to anyone using or thinking about using personal data illegally. We can and will take action which can have a huge effect on your personal life including confiscating assets and earnings – whatever they may be.”
Cullen pleaded guilty to 21 charges of unlawfully obtaining and selling personal data in breach of s55 of the Data Protection Act 1998, when he appeared before Manchester City & Salford Magistrates Court on 27 September 2018.
Notes to Editors
- The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five Acts / Regulations.
- The ICO’s prosecution policy can be found here.
- The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
- A limited number of criminal prosecutions – including this case - are still being dealt with under the provisions of the Data Protection Act 1998 because of when the offence occurred.
- Criminal prosecution penalties are set by the courts and not by the ICO. The maximum penalty for criminal offences under both the Data Protection Act 1998 and the new 2018 Act is an unlimited fine.
- To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.
Latest News from
Information Commissioner's Office
Statement: Live facial recognition technology in King's Cross19/08/2019 15:25:00
Statement from Elizabeth Denham, Information Commissioner, on the use of live facial recognition technology in King's Cross, London.
Statement: Live facial recognition technology in Kings Cross16/08/2019 10:10:00
Statement from Elizabeth Denham, Information Commissioner, on the use of live facial recognition technology in Kings Cross, London.
Blog: Three top issues for town and parish councils15/08/2019 10:15:00
The advent of the GDPR in May 2018 brought new data protection obligations for many organisations. Some of this presented a challenge, particularly for smaller organisations like parish and town councils, who we saw were keen to demonstrate their compliance but needed support to achieve this.
ICO launches consultation on the draft framework code of practice for the use of personal data in political campaigning09/08/2019 14:20:00
The Information Commissioner's Office (ICO) is consulting on a new framework code of practice for the use of personal data in political campaigning.
Blog: Protecting children online: update on progress of ICO code07/08/2019 15:10:00
Blog posted by: Elizabeth Denham, Information Commissioner, 07 August 2019.
Fully automated decision making AI systems: the right to human intervention and other safeguards06/08/2019 10:25:00
Reuben Binns, our Research Fellow in Artificial Intelligence (AI), and Valeria Gallo, Technology Policy Adviser, discuss some of the key safeguards organisations should implement when using solely automated AI systems to make decisions with significant impacts on data subjects.
ICO joins international signatories in raising Libra data protection concerns05/08/2019 16:25:00
The Information Commissioner’s Office (ICO) has joined data protection authorities from around the world in calling for more openness about the proposed Libra digital currency and infrastructure.
ICO fines boiler replacement company for thousands of nuisance calls made to TPS subscribers05/08/2019 09:10:00
Making it Easy Ltd has been fined £160,000 by the Information Commissioner’s Office (ICO) for making spam calls to people registered with the Telephone Preference Service (TPS).