Information Commissioner's Office
Former company director believed to have profited by more than £1.4 million after selling personal data illegally
A former company director found guilty of illegally obtaining people’s personal data and selling it to solicitors chasing personal injury claims, has been fined for breaches of data protection and issued with a confiscation order under the Proceeds of Crime Act 2002.
David Cullen of Middleton Road, Manchester, was the managing director of No1 Accident Claims Limited based on Oxford Road, Manchester from 4 March 2010 until 20 December 2012 when the company was liquidated. The business profited from selling illegally obtained personal data to solicitors. The data, belonging to people who had been in road accidents, could then be used to pursue personal injury claims.
Appearing before Manchester Crown Court on 24 June 2019, Cullen was fined £1,050 and ordered to pay £250 costs. He was disqualified from being a company director for five years and an order was made for the forfeiture and destruction of items which were seized as part of a search warrant in 2012. During the raid on Cullen’s business a number of computer devices and documents were seized containing the unlawfully obtained data.
Following sentencing, confiscation under the Proceeds of Crime Act 2002 commenced. The exact figure which Cullen is believed to have benefited from during his illegal activities is £1,434,679.60. Due to a lack of assets, the Court proceeded by making a £1 nominal order. Cullen’s financial circumstances will be regularly reviewed, and should they improve, the amount of the confiscation order can be increased.
Michael Shaw, Group Manager – Enforcement at the ICO recently said:
“The volume of confidential personal information found in Cullen’s possession showed his blatant disregard of people’s right to privacy and our data protection laws.
“The confiscation order under the Proceeds of Crime Act is a warning shot to anyone using or thinking about using personal data illegally. We can and will take action which can have a huge effect on your personal life including confiscating assets and earnings – whatever they may be.”
Cullen pleaded guilty to 21 charges of unlawfully obtaining and selling personal data in breach of s55 of the Data Protection Act 1998, when he appeared before Manchester City & Salford Magistrates Court on 27 September 2018.
Notes to Editors
- The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five Acts / Regulations.
- The ICO’s prosecution policy can be found here.
- The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
- A limited number of criminal prosecutions – including this case - are still being dealt with under the provisions of the Data Protection Act 1998 because of when the offence occurred.
- Criminal prosecution penalties are set by the courts and not by the ICO. The maximum penalty for criminal offences under both the Data Protection Act 1998 and the new 2018 Act is an unlimited fine.
- To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.
Latest News from
Information Commissioner's Office
ICO's blog on its information rights work23/01/2020 16:10:00
Colleagues from the ICO’s access to information and compliance department share their experiences and involvement in raising awareness of our regulation of access to information legislation.
ICO publishes Code of Practice to protect children’s privacy online22/01/2020 16:33:00
The Information Commissioner’s Office yesterday published its final Age Appropriate Design Code – a set of 15 standards that online services should meet to protect children’s privacy.
Blog: Adtech - the reform of real time bidding has started and will continue17/01/2020 16:25:00
A blog by Simon McDougall, ICO Executive Director of Technology and Innovation
National retailer fined half a million pounds for failing to secure information of at least 14 million people10/01/2020 13:25:00
The Information Commissioner’s Office (ICO) has fined DSG Retail Limited (DSG) £500,000 after a ‘point of sale’ computer system was compromised as a result of a cyber-attack, affecting at least 14 million people.
ICO launches consultation on draft direct marketing code of practice09/01/2020 09:10:00
The Information Commissioner's Office (ICO) has launched a public consultation on a draft direct marketing code of practice.
Blog: The benefits of sharing personal data – what can we learn from Open Banking?07/01/2020 13:20:00
The ICO’s Regulators’ Business Innovation Privacy Hub has recently been looking at the key data protection considerations for innovators who are working in the Open Banking space.
Trust, technology and slippers with torches02/01/2020 14:10:00
Jonathan Bamford holds up a tatty bundle of papers. They’re scrumpled, time worn, ripped and held together with yellowing Sellotape, but with the Royal coat of arms crown still proudly visible on the cover.
Statement on ICO-approved certification schemes23/12/2019 12:10:00
The ICO has announced it will be working with UK Accreditation Service (UKAS) to deliver the ICO-approved certification schemes.