A former rogue manager at a Merseyside branch of the car rental company Enterprise Rent-A-Car has been prosecuted by the Information Commissioner’s Office (ICO) after unlawfully stealing the records of almost two thousand customers before selling them to a claims management company.
Appearing at Wirral Magistrates Court today, 29 year-old Stephen Siddell was prosecuted under section 55 of the Data Protection Act and fined £500, ordered to pay a £50 victim surcharge and £264.08 prosecution costs.
Enterprise Rent-A-Car alerted the ICO after its security systems showed an irregularity. Acting on this information, the ICO then raided a claims management company based in the Liverpool area. The raid resulted in over 500 records being recovered relating to car hire arranged by Enterprise Rent-A-Car on behalf of insurance companies whose customers had been involved in a recent accident.
The records were traced to Siddell, who had used his position as manager of the rental firm’s Southport branch to print the customers’ details. The ICO was able to establish that Siddell printed the details of more than 1900 people between 14 October 2011 and 4 November 2011. All of the documents related to customers involved in road traffic incidents.
Siddell passed the information to the claims management company who then contacted many of the individuals about potential personal injury claims. Neither Enterprise Rent-A-Car nor its customers gave permission for their information to be passed on.
The claims management company remains under investigation by the ICO and so cannot be named at this time.
ICO Head of Enforcement, Stephen Eckersley, said:
“This man was motivated by greed. Stephen Siddell betrayed his employer and exploited over 1900 customers for personal gain. Staff at Enterprise Rent a Car acted swiftly in notifying us of their concerns and we were then able to protect other potential victims.
“Data theft is not a victimless crime and many of the people targeted by Siddell and the claims management company will have received nuisance calls offering to pursue a personal injury claim. Siddell was happy to exploit people after they had recently had an accident, when they may have already been suffering mentally and physically. He is now facing the consequences of his crimes.”
Unlawfully obtaining or accessing personal data is a criminal offence under section 55 of the Data Protection Act 1998. The offence is punishable by way of ‘fine only’ – up to £5,000 in a Magistrates Court or an unlimited fine in a Crown Court. The ICO continues to call for more effective deterrent sentences, including the threat of prison, to be available to the courts to stop the unlawful use of personal information.