On 4 June 2026, the Information Commissioner’s Office said it had secured £118,852.32 in confiscation orders against two former RAC employees. This was not a corporate GDPR fine. It was the next stage of a criminal case about staff copying and selling personal data. The management lesson is still immediate: if customer records can be pulled, copied, and passed on without a clear business reason, your access controls are already failing.
The ICO says Debbie Okparavero and Maliha Islam were ordered to pay £85,727.32 and £33,125.00 respectively, plus costs, after Proceeds of Crime Act hearings. The regulator also linked the confiscation orders back to the earlier criminal case, where both defendants had admitted conspiracy offences under the Computer Misuse Act 1990 and the Data Protection Act 2018 for unlawfully copying and selling almost 30,000 lines of personal information.
What the ICO says happened
In its 9 October 2024 case summary, the ICO said both women worked as customer service specialists at the RAC call centre in Stretford. The RAC installed new security monitoring software, which showed Okparavero had unlawfully accessed and copied personal information relating to people involved in road traffic accidents. A search of Okparavero’s mobile phone then showed that information being shared in a WhatsApp chat with Islam, with messages indicating a third party was paying for the data.
At Minshull Street Crown Court on 8 October 2024, both defendants received six-month prison sentences, suspended for 18 months, plus 150 hours of unpaid work. The confiscation hearings came later. On 29 May 2026, Manchester Crown Court ordered Okparavero to pay £85,727.32 plus £3,550.00 in costs within three months. At an earlier hearing in November 2025, Islam was ordered to pay £33,125.00 plus £2,797.50 in costs, and the ICO says that order has already been paid in full.
Why this still matters for employers
The confiscation orders land after the criminal sentencing, but the control gap started much earlier. Someone in a customer-service role was able to access and copy accident-related records, move them onto a phone, and share them in a WhatsApp chat linked to payment. By the time the case reached court, the failure had already travelled through access control, monitoring, incident response, and staff conduct.
The ICO’s data security guidance is plain on the basic rule: personal data should only be available to authorised people, and only for the work they are meant to do. That sounds obvious. In practice, it means managers need more than a permissions matrix written once and forgotten. They need working checks on bulk access, exports, personal-device misuse, and unusual patterns inside ordinary business systems.
Hard controls to review now
Start with role-based access. If a customer-service worker can view or extract records outside their case load, team, or task, the permission model is too loose. Then look at monitoring. The RAC case moved because the company installed software that exposed suspicious activity. That should prompt a blunt question for every manager handling personal data: would you know this was happening in your own environment, or would you only find out after a partner, customer, or regulator raised it?
- Restrict access to the minimum each role needs, then review exceptions on a fixed schedule.
- Set alerts for bulk access, repeat lookups on sensitive categories, and exports outside normal workflow.
- Block or tightly control copying data to personal devices, consumer messaging apps, and unmanaged storage.
- Give line managers a named escalation route when misuse is suspected, including HR, security, and legal ownership.
- Remove or reduce access quickly when staff move teams, go on long leave, or leave the business.
The same principle sits behind our recent coverage of the Rizwan Manjra confiscation order. Different employer. Different facts. Same operational weakness: people kept access they should not have been using, and the problem became visible only after suspicious patterns were investigated.
Training still matters, but it is not enough on its own
Staff training belongs in the response, especially where teams handle large volumes of customer information. People need clear examples of what unlawful browsing looks like, how to report pressure from third parties, and what happens if they misuse records for profit. But training without oversight turns into hope. Our piece on data protection refresher training covers the ICO’s view that training should happen at appropriate intervals and be documented properly.
For a practical staff baseline, the free GDPR training course gives teams a clear starting point.
Sources
- ICO: Success in securing over £118,000 in confiscation orders against two former RAC employees
- ICO: Criminal record and suspended prison sentence handed to former RAC employees for stealing personal information
- ICO: A guide to data security
- Computer Misuse Act 1990, section 1
- Data Protection Act 2018
