Coronavirus: Employer’s resource centre — live guidance available here

Employee data breach highlights risks to employers

BY Donald MacKinnon
Employment Law & HR

Ahead of the introduction of the GDPR, employers will be undertaking an assessment of personal data in order to ensure that processing is GDPR compliant. If you haven’t started preparations yet, never fear; our suite of materials is available on the client area of our website to help guide you through the process. There are also spaces available on our final public training event focusing on GDPR preparations taking place in Glasgow on 23rd March.

As part of their preparations, employers should also be thinking about internal rules for data processing and data security and, importantly, thinking ahead to how these will be communicated to staff. A recent criminal case in which an employee was fined for breach of the Data Protection Act underlines the importance of ensuring that clear data use policies are in place.

While the employee in question was working for Nationwide Accident Repair Services he covertly downloaded large volumes of customer data using his laptop at home and sold it to nuisance call firms. It was only when the company began receiving complaints from customers that use of data was examined and the employee’s crimes were detected. The individual pled guilty and was fined £500 by the Information Commissioner’s Office as well as being ordered to pay costs and charges of over £400.

The case was decided under the current data protection regime, although had it been heard after the introduction of the GDPR not only could the fine have been much higher, but the company could have come under fire for its data security arrangements. While the employee in this case was clearly not authorised to access data in this way, it could be the case that more stringent processes and security checks would have flagged up the breach before customers began to complain.

The case serves as a timely reminder to employers that not only should they be thinking about analysing the data they process, but also reviewing their internal rules and security systems to ensure that legitimate use of data is lawful and that illegitimate use is easily contained.

© Copyright of Law At Work 2021 Law At Work is part of Marlowe plc’s employee relations division