Holders of the office of Information Commissioner have often bemoaned the fact that custodial sentences have never been available for offences under data protection law, and the recent enactment of the Data Protection Act 2018 (DPA) hasn't changed this position. And traditionally the Information Commissioner's Office (ICO) has tended not to seek to extend its remit to statutory offences outwith its express powers. Thus, although offences under sections 1 to 3A of the Computer Misuse Act 1990 (CMA) (which will often involve misuse of personal data) can be punishable by imprisonment with maximum terms ranging from two years (section 1 and section 3A) to 14 years (section 3ZA), the ICO has not tended to deal with these provisions. This is no doubt on the basis that its statutory duties, as laid out primarily in the DPA, do not refer to the CMA.
However, since the Supreme Court case of R v Rollins [2010] UKSC 39, it has been clear that any corporate body, is, in general terms, entitled to bring a prosecution for any offence, subject to statutory restrictions and conditions. While prosecutions under the DPA are limited to being brought by the ICO (or with the consent of the Director of Public Prosecutions), prosecutions under the CMA are not.
It is on this basis, it appears, that the ICO has recently successfully prosecuted, under section 1 of the CMA, a man who worked for an accident repair firm, and who used his colleagues’ log-in details to access a software system that estimated the cost of vehicle repairs. The man was subsequently sentenced in the Wood Green Crown Court to a term of six months' imprisonment.
As recently as 2017 the ICO was saying that investigations under the CMA were "outside of its remit". Clearly, it no longer thinks this is the case.
Not every data protection infringement will constitute an offence under the CMA, but nonetheless it seems pretty clear that there is now a new prosecutor in town.