On 21 May 2026, the ICO said it had secured a £355,880.10 confiscation order against former motor-insurance worker Rizwan Manjra. This was not a corporate fine. It was a proceeds-of-crime order after an employee had already admitted unlawfully accessing personal information for financial gain. The compliance lesson is still squarely for organisations: insider misuse stays an access-control problem long before it becomes a criminal case.
The ICO’s action matters because it shows two things at once. First, personal-data misuse by staff is prosecuted. Second, profits made from that misuse can be clawed back. If one employee can browse claims or policy records without a business reason, keep doing it over weekends, and send details out to another person, the individual’s conduct matters. So do the access, oversight, and escalation controls that should have caught it earlier.
What the ICO said happened
According to the ICO’s December 2024 prosecution record, Manjra led a team dealing with accident claims at Markerstudy Insurance Services Limited in Manchester. The case surfaced after third-party insurers raised concerns around 185 claims. An internal investigation found that Manjra featured in 160 of them, even though his role did not involve accessing those claims, and that 147 had not been referred to his team at all.
The same ICO record says the company’s systems showed Manjra had accessed more than 32,000 policies during weekends, despite being contracted to work Monday to Friday and not claiming overtime. The ICO also found that he had been sending personal data he accessed by mobile phone to another person. At Manchester Crown Court on 30 October 2024, he pleaded guilty to an offence under section 1 of the Computer Misuse Act 1990. On 11 December 2024, he received a six-month prison sentence, suspended for two years, plus 150 hours of unpaid work.
The latest step came at a Proceeds of Crime Act hearing at Manchester Crown Court on 15 May 2026. The ICO says the confiscation order must be paid within three months. If it is not paid, Manjra faces a default prison sentence of three years and six months and still remains liable for the full amount. The court also ordered him to pay £1,500 in costs within six months.
Why this is a control story before it becomes a prosecution story
The ICO’s data security guidance is direct on the point. Personal data should be accessible only to people you have authorised, and those people should act only within the scope of that authority. That is the part managers should dwell on here. The risk did not begin at the courtroom stage. It began when access to live customer information could apparently be used outside the employee’s role without being stopped quickly.
Weekend access and unusual claim patterns should trigger review
Two facts stand out from the ICO’s published summary: concerns around 185 claims, and more than 32,000 policy accesses over weekends. Either should have justified immediate scrutiny. Pattern anomalies matter. So does access outside normal working arrangements. The point is similar to the one in our South Staffordshire coverage: weak oversight gives bad activity time to continue. In that case the issue was network intrusion and poor monitoring. In this one it was staff access that sat outside any clear business need. The control theme is the same. See our write-up of the South Staffordshire ICO case.
Least privilege means access must match the job
The ICO’s records-management and security audit framework says access to systems processing personal information should be restricted to the absolute minimum in line with least privilege. That matters here because the published facts show an employee touching claims and policies that his team had no reason to handle. Managers should read this as a reminder that role-based access is not a one-off set-up task. Permissions drift. Teams change. Temporary access survives longer than intended. Recertification has to be real.
Training matters, but monitoring matters too
Refresher training still has a role. Staff need to understand that browsing personal data out of curiosity, convenience, or profit is unlawful even if the login is technically valid. But training alone is not the answer. Organisations also need logs that people actually review, challenge routes when partner firms or clients spot anomalies, and a culture where unusual access is investigated rather than waved through. Our article on data protection refresher training covers what the ICO expects from repeat training in practice.
Practical checks for managers
- Review whether staff can access claims, policy files, or customer records outside their current role.
- Set alerts for high-volume access, repeat weekend access, and activity on records not assigned to the user or team.
- Ask whether partner complaints or insurer queries land in a queue with named ownership and response times.
- Run periodic access recertification so old permissions are removed, not inherited forever.
- Make misuse examples part of refresher training, with clear disciplinary and legal consequences.
- Check whether managers can explain why each high-risk role has the access it has.
The confiscation order is the headline figure. The operational lesson sits underneath it. Insider misuse cases do not start with a POCA hearing. They start with ordinary system access, weak challenge, and controls that are looser than the job requires. If your team needs a practical baseline on staff handling of personal data, the GDPR Refresher Training Course is the sensible next step.
Sources
- ICO: £355,880.10 confiscation order secured following proceeds of crime hearing
- ICO prosecution record: Rizwan Manjra
- ICO: A guide to data security
- ICO audit framework: records management and security
- Computer Misuse Act 1990, section 1
