The Information Commissioner's Office (ICO) has confirmed that it is making enquiries into claims by Labour that Joan Ryan MP either accessed or attempted to access personal data held on Labour's canvassing system after she had resigned from the party. The MP has denied that she was responsible for the alleged breach.
If the ICO finds evidence to substantiate Labour's claims a prosecution for unlawfully obtaining personal data under Section 170 of The Data Protection Act 2018 (DPA 2018) may follow. The ICO lobbied for data protection offences to carry a custodial penalty but the DPA 2018 was enacted with provision for fines only. However, if the ICO considers the matter to be particularly serious it could bring a prosecution for the more serious offence of "unauthorised access to computer material" under Section 1 of the Computer Misuse Act 1990 (CMA 1990) for which sentences of imprisonment can be imposed.
The ICO brought its first prosecution under the CMA in November of last year. Mustafa Kasim was sentenced to six month's imprisonment after accessing a customer database belonging to a former employer. Whilst there were significant aggravating factors in Mr Kasim's case his situation is not dissimilar to what Labour suspects occurred with its canvassing database. A high profile prosecution under the CMA would perhaps give the ICO an opportunity to demonstrate again that it is prepared to push the boundaries in order to protect individual rights.