Recently, the Information Commissioner’s Office published the outcome of a criminal prosecution.
The title?
Just two names: Christopher Munro and William Chipoma.
No explanation. No softening. No anonymity.
And that, in itself, is a powerful lesson in how data protection law really works.
Data protection isn’t about secrecy
There’s a persistent myth that data protection is about hiding information.
It isn’t.
It’s about using personal data lawfully, fairly and appropriately.
In this case, the ICO has deliberately published the names of two individuals convicted of unlawfully accessing and selling personal data. That information is now:
- Public
- Searchable
- Permanently associated with them
That’s not a failure of data protection.
That’s data protection law working exactly as intended.
From exploiting data… to becoming the data
The facts of the case are stark.
Both individuals deliberately sought employment in organisations handling personal data. Not to do the job, but to gain access.
They then:
- Accessed thousands of records without authority
- Sold personal data for financial gain
- Moved roles when access was restricted
This wasn’t a mistake. It wasn’t poor training.
It was intentional misuse of personal data for profit.
And now, their own personal data is being used to hold them accountable.
The risk most organisations underestimate
When businesses think about data protection risk, they usually think about:
- Hackers
- Cyber attacks
- External threats
But this case highlights a different reality:
The biggest risk to your data may already have legitimate access to it.
This is insider threat.
No sophisticated hacking required.
Just:
- Access to systems
- Weak controls
- Lack of monitoring
What this means for your organisation
This isn’t just an interesting case. It’s a warning.
If your organisation handles personal data (and every organisation does), you should be asking:
- Who has access to your data and why?
- Are access levels genuinely limited to what’s necessary?
- Would you know if someone was extracting large volumes of data?
- Do you review access regularly, or just set it and forget it?
And perhaps most importantly:
- Are you assuming trust, instead of actively managing risk?
The bigger picture
The ICO publishing two names in a headline is not heavy-handed.
It’s deliberate.
It demonstrates that data protection law is not about shielding people from consequences. It’s about ensuring personal data is used appropriately, whether that’s protecting individuals, or holding them to account.
Final thought
Everyone worries about hackers.
Far fewer organisations consider the risk of someone walking through the front door, gaining access legitimately, and misusing data from the inside.
But as this case shows, that risk is very real and the consequences are too.
Jemma Handley is the founder of JH Data Protection Ltd, a specialist data protection consultancy led by a legally‑qualified advisor providing support on UK GDPR, EU GDPR and privacy law, including DPIAs, risk assessments, policy development, training and external DPO services.
