ICO Wants Stronger Sentencing After Offender Fined Just £1,000 For Selling 28,000 Records

confidential data

The case illustrates the need for more sentencing options to deter would-be data thieves, the ICO argues

The Information Commissioner has repeated a call for stronger and flexible sentencing powers for those convicted of data-protection offences, after a fine of just £1,000 was issued to a woman found to have sold the personal records of nearly 28,000 car rental customers.

Sindy Nagra, 42, from the western London suburb of Hayes, pleaded guilty at Isleworth Crown Court on Friday to selling nearly 28,000 customer records for £5,000. She was fined £1,000 and ordered to pay a £100 victim surcharge and £864.40 prosecution costs.

Insurance records

Nagra worked as an administrative assistant at Enterprise Rent-A-Car, where she processed customer details received from an insurance company, typically of people involved in road traffic collisions.

Her employer contacted the ICO after noticing that Nagra was looking at many more records than was necessary for her job, and an investigation found that Nagra, who worked from home, was taking screen captures of the records.

She sold them to Iheanyi Ihediwa, 39, of Manchester, who she claimed she was introduced to in a pub. Ihediwa was also fined £1,000 and was ordered to pay prosecution costs of £864.40 and a victim surcharge. The records involved were intercepted and destroyed before they could be used to make nuisance calls, according to the ICO.

In this case, the court said it was obliged to take into account the fact that Nagra had lost her job and had no money with which to pay a larger fine, but the ICO has argued authorities should be given more sentencing options, such as suspended sentences, community service or prison.

Insufficient deterrent

Courts can issue unlimited fines for Data Protection Act offences such as Nagra’s, but not custodial sentences.

“The fines that courts are issuing at the moment just don’t do enough to discourage would-be data thieves,” information commissioner Christopher Graham stated. “This fine highlights the limited options the courts have. With so much concern about the security of data, it is more important than ever that the courts have at their disposal more effective deterrent penalties than just fines.”

This is not the first case in which an Enterprise employee has been prosecuted for data protection offences. In July 2014 a former Enterprise branch manager was fined £500 and ordered to pay a £50 victim surcharge and £264.08 in prosecution costs for stealing the records of nearly 2,000 customers and selling them to a claims management company.

The ICO has handed out substantial fines to everything from government ministries to police organisations to private companies.

UPDATE 13/01/2016: This article has been amended to reflect the fact that Isleworth Crown Court, not the ICO handed out the fine

Are you a security pro? Try our quiz!