Most employers will be aware of their duties under the Data Protection Act, but did you know that employees can be held personally liable for their failure to safeguard information too?
The guardian of all things data, the Information Commissioner, has wide ranging powers to enforce the provisions of the Data Protection Act. Most complaints made about data abuses are dealt with by the Information Commissioner without need for legal proceedings; however, the Commissioner does have the ability to bring civil and even criminal proceedings.
In two recent cases, former employers have been prosecuted and fined for breach of the Act. In Winchester three former employees of a car rental company were subject to both civil and criminal proceedings after they sold on stolen customer information to accident claims companies. The trio made thousands of pounds over a two and a half year period.
They pled guilty in court, having already been ordered to pay £400,000 in compensation to their former employer in a civil action. In the criminal case brought by the Information Commissioner, they were ordered to pay further fines and made to contribute towards the costs of their prosecution.
In a separate case in Warrington, a recruitment agent was fined for unlawfully accessing personal data of her employer’s clients and sending it to her own email address prior to leaving the company to work for a competitor. She then used the data to contact former clients in her new job. The defendant was ordered to pay £200 in fines together with £214 in prosecution costs and a £30 victim surcharge.
It is common for employers in these circumstances to consider relying on restrictive covenants to prevent an employee from stealing client information. However, this case serves as a reminder that the Information Commissioner can also get involved where the employee’s actions are in breach of the Act.