Employees fined for unlawfully obtaining data

Both cases were prosecuted under section 55 of the Data Protection Act 1998 (now repealed), which states that a person must not knowingly or recklessly, without the permission of the data controller, access or disclose personal data. (A similar provision can now be found in section 170 of the Data Protection Act 2018.)

In the first case, an NHS employee with access rights to personal records viewed the data of several family members and children known to her without a professional need to do so. She admitted to offences under section 55 and was fined £1,000 (with a £50 victim surcharge), as well as being ordered to pay towards prosecution costs.

The second case concerned an employee who, before resigning from her role, forwarded several emails containing personal data of customers and other employees from her work account to her personal email account. Having also admitted offences under section 55, she was fined £200 (with a £30 victim surcharge) and ordered to contribute towards prosecution costs.

Implications

The second prosecution will be of particular interest to employers who face issues with employees taking customer or client information with them when they leave to go to a competitor. While carefully drafted restrictive covenants and ongoing confidentiality obligations in the contract of employment are the first line of defence against such conduct, the enforcement of such terms can be expensive, fraught and uncertain.

The data protection offences committed in these two recent cases, and the ICO’s interest in prosecuting them, operate as an additional deterrent to those thinking of taking customer or client information with them when they leave. This is especially the case for individuals in regulated sectors such as law and finance, for whom any convictions could potentially have a significant impact of their careers. Employers should therefore consider warning employees explicitly about the criminal consequences of unlawfully obtaining personal data - and also that any such behaviour will be reported to the regulator with a view to prosecution.

It remains to be seen how many more cases like this will arise. Mike Shaw, who heads up the ICO’s criminal investigations team, has however emphasised that this will be an area of ongoing concern for the regulator:

“People expect that their personal information will be treated with respect and privacy. Unfortunately, there are those who abuse their position of trust and the ICO will take action against them for breaking data protection laws.”

For further information about workplace data privacy matters, please contact members of our data protection team.