A Slough letting agent and one of its directors who unlawfully obtained details about their tenants from a rogue employee at Slough Borough Council have been found guilty of committing offences under Section 55 of the Data Protection Act 1998 (DPA).
At Reading Magistrates, SAI Property Investments Limited, trading as IPS Property Services and represented at the hearing by Director Mr Punjab Sandhu, was fined £260 for two offences under the Act and ordered to pay a £15 victim surcharge and £702 prosecution costs. Another director at the company, Sundeep Jaswal, was fined £260 for two offences and ordered to pay a £15 victim surcharge and £351 prosecution costs.
Ounkar Singh Nainu – who supplied both men with information relating to individuals in receipt of Housing and Council Tax Benefit, whilst employed at the council as a Customer Service Advisor – has been fined £690 for three offences and ordered to pay a £15 victim surcharge and £351 prosecution costs.
The first offence took place in September 2009 when Jaswal made contact with Nainu and asked him to obtain personal data about some of their tenants from housing benefit records. This information was provided without the Council’s knowledge and used by the company to chase up their tenants’ outstanding debts. An unsuccessful attempt was then made to obtain further information from the Council’s records in March 2010.
The Council received an anonymous tip-off that Nainu had been illegally accessing the data, and launched an immediate investigation before reporting the matter to the ICO.
Information Commissioner, Christopher Graham, said:
“This case clearly demonstrates the contempt that all three individuals held for the privacy rights of the people affected. The council employee was responsible for handling important information relating to some of the council’s most vulnerable residents. He abused his position hoping to make money and found two unscrupulous individuals who were happy to acquire this information through any means necessary.
“This case highlights the need for a more appropriate range of deterrent punishments to be made available to the courts. There must be no further delay in introducing tougher powers to enforce the Data Protection Act, otherwise unscrupulous individuals will continue to see a mere fine as a price worth paying.”
Unlawfully obtaining or accessing personal data is a criminal offence under Section 55 of the DPA. Offenders can be fined up to £5,000 at Magistrates Court or an unlimited amount at Crown Court. This also applies to attempts under the Criminal Attempts Act.
