For years the Information Commissioner’s Office was seen as a body that imposed fines, wrote reports, and issued warnings. Criminal prosecutions were rare, and when they did happen, they often led to little more than a financial penalty. That picture is changing. The ICO has expanded its legal team, broadened its remit, and is now turning to the Computer Misuse Act 1990 (CMA) to secure stronger sentences. Custodial penalties, once unthinkable for data offences, are now firmly on the table.

Why the ICO needed sharper tools

Historically, the ICO’s criminal work focused on lower level offences. Nosy employees peeking into records they had no business seeing. Small-scale misuse of personal data without serious financial gain. Most cases could be managed with fines under the Data Protection Act. But as personal data became more valuable, the scale of offending grew.

Underground markets sprang up for accident claims data, insurance details, and customer records from service providers. Individuals realised they could make tens of thousands of pounds by selling or trading data, often without much fear of serious consequence. At worst they faced a fine, which could be written off as a cost of doing business.

The ICO recognised that this had to change. The agency was hampered by the limits of the Data Protection Act, which in many cases did not allow for imprisonment. The Computer Misuse Act, though drafted in 1990, offered a way forward. Section 1 of the Act makes it an offence to access data without authorisation via a computer, and carries a maximum penalty of two years in prison. This gave the ICO a path to tougher sentences in cases where simple fines did not match the seriousness of the offence.

The case that changed the tone

The turning point came in 2018. Mustafa Kasim, an employee at a vehicle repair firm, accessed the personal data of more than 170,000 customers by using colleagues’ log in details. He had no business reason to do so and later continued accessing data even after leaving the company. The records were linked to nuisance calls, complaints, and harassment of customers.

The ICO chose to prosecute under the CMA rather than rely only on the Data Protection Act. Kasim received a six-month prison sentence. It was the first time the ICO had secured an immediate custodial term for a data offence. The message was clear. Unauthorised access to personal data is not a trivial matter. It is a criminal act that can result in jail.

Building capacity and broadening cases

At the time of that case, the ICO’s prosecutions team was small. Today it has grown to five lawyers and a paralegal working exclusively on criminal matters. That growth is now showing in the cases coming through. Former RAC employees who accessed and sold customer information received suspended prison sentences in 2024. Other cases are in the pipeline, with several defendants awaiting trial.

These sentences matter. Even where terms are suspended, they show that courts are willing to hand out custodial penalties for data crime.

The ICO has also begun seeking confiscation orders under the Proceeds of Crime Act to strip offenders of their gains. For many defendants, the prospect of losing money, cars, or homes is more daunting than a short custodial term. By pairing CMA prosecutions with POCA applications, the regulator is showing real bite.

What this means for organisations

For businesses, the new teeth of the ICO should be seen as both a warning and a source of support.

The warning is obvious. Companies with weak controls, shared log-ins, or poor exit processes for staff are at risk. Data theft by insiders is one of the most common patterns in these cases. If your organisation has not reviewed access management recently, you could be leaving the door wide open. The reputational fallout is severe. Victims of nuisance calls or aggressive claim-chasing will not remember the name of the rogue employee. They will remember the company that failed to protect their data.

The support comes from knowing the ICO is now more willing to prosecute rogue employees. For companies facing insider abuse, this is a deterrent you can point to. You can show staff that data misuse will not just cost them their job, it could cost them their freedom. That message is far stronger than the threat of a civil fine.

Practical steps to take

Privacy professionals can turn this enforcement shift into concrete action on Monday morning.

• Tighten access control: Review who has access to personal data, especially sensitive datasets. Eliminate shared credentials. Ensure audit logs are maintained and reviewed regularly.
• Act fast on leavers: Remove access immediately when an employee leaves. Monitor for unusual activity in the period leading up to their departure.
• Monitor usage: Watch for red flags such as bulk downloads, out-of-hours access, or unusual search activity. These may indicate unauthorised use or attempted exfiltration.
• Communicate the risk: Reinforce in training that unauthorised access is not only a policy breach but also a criminal offence, which in serious cases can lead to imprisonment.
• Prepare for incidents: Build procedures for evidence preservation. If you suspect data crime, early action matters.

Looking ahead

The Computer Misuse Act is now 35 years old. The government has indicated that it intends to review and modernise the law, including the scope of offences and sentencing powers. The ICO has welcomed this, noting that the current maximum sentence of two years’ imprisonment for basic unauthorised access may not reflect the scale or sophistication of modern data crime. For now, however, the CMA is proving effective. The ICO has demonstrated that it is prepared to move beyond fines and use every tool available through the courts. This is reshaping how data crime is understood by courts, businesses, and offenders alike. The regulator is sending a clear message. Data theft is not harmless snooping. It is organised, profitable crime. And if you are caught, you may face not just a fine but a criminal record, a confiscation order, and the prospect of prison.