Recent activity from the ICO has clarified that it’s not just businesses that need to be wary of breaches of data protection, after two employees were convicted of unlawfully accessing personal data and were personally fined.
In both cases the employees were prosecuted under section 55 of the Data Protection Act 1998, now repealed and replaced by a similar provision at section 170 of the Data Protection Act 2018. The Act stated that a person must not knowingly or recklessly, without the permission of the data controller, access or disclose personal data.
In the first case, an NHS employee who, as part of her role had access rights to personal records of patients, abused this privilege and accessed the data of several family members and children known to her. Accessing this information was out-with the scope of her role and she did not need to access this information to perform her duties.
The employee in question fully admitted to these offences and was fined £1,000 (with a £50 victim surcharge), as well as being ordered to pay towards prosecution costs as a result of her actions.
The second case involved an employee who, before leaving her role, forwarded several emails from her work account to her personal email account. The emails in question contained the personal data of customers and other employees, and presumably were to be used by the employee in her future employment. In this case, again the employee admitted to offences under section 55, and as a consequence she was fined £200 (with a £30 victim surcharge) and ordered to contribute towards prosecution costs.
Lessons for employers
These cases serve as a reminder that ‘bad leavers’ can be pursued by the governing body. A common issue faced by employers is whether employees will attempt to take customer or client information with them when they leave employment and subsequently go to work for a competitor. While carefully drafted restrictive covenants and ongoing confidentiality obligations in the contract of employment are the first line of defence against such conduct, the enforcement of such terms can be expensive, difficult and uncertain.
The data protection offences committed in these two recent cases, and the ICO’s apparent interest in prosecuting them, potentially provide as an additional deterrent to those thinking of taking confidential customer or client information when they leave. This is especially pertinent in certain regulated sectors such as law and finance, where any convictions could potentially have a significant impact on their future career prospects. Therefore employers should consider warning employees explicitly about the criminal consequences of unlawfully obtaining personal data upon their departure and make it clear that any such behaviour will be reported to the regulator with a view to prosecution.
It is unclear how many more cases like this will arise. However the head of the ICO’s criminal investigations team, has however emphasised that this will be an area of ongoing concern for the regulator.