Hot on the heels of the Morrisons data protection breach covered by us in January’s newsletter we have a further high profile data protection case in the form of the Information Commissioners Office (ICO) prosecution of an employee who made off with confidential client details. Whilst it has long been established that civil prosecution is available to businesses in such circumstances, the ICO have shown that they are not willing to take a back seat in such matters and the following case highlights a successful prosecution for data protection breaches of an individual by it.
A quick overview of data protection legislation: The Data Protection Act 1998 (DPA) is the main piece of legislation that governs the protection of personal data in the UK. Personal data is recorded information on identifiable living people. It is important to note that where the ability to identify an individual depends partly on the data held and partly on other information (not necessarily data), the data held will still be “personal data”.
Data means information which:
(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose;
(b) is recorded with the intention that it should be processed by means of such equipment;
(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system;
(d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68; or
(e) is recorded information held by a public authority and does not fall within any of paragraphs (a) to (d) above.
Accessible records are records held by public authorities such as health records or educational records.
Personal data means data which relates to a living individual and which can be identified:
(a) from that data, or
(b) from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
Anyone who processes personal information must comply with the 8 data protection principles outlined by the DPA, which are to make sure that personal information is:
- Fairly and lawfully processed;
- Processed for limited purposes;
- Adequate, relevant and not excessive;
- Accurate and up to date;
- Not kept for longer than is necessary;
- Processed in line with your rights;
- Secure; and
- Not transferred to other countries without adequate protection.
Unlawfully obtaining or accessing personal data is a criminal offence under section 55 of the DPA. The offence is punishable by way of a fine in a Magistrates or Crown court.
The facts of this case
Mark Lloyd, who worked for a waste management company in Shropshire, emailed the details of 957 clients to his personal email address shortly before leaving his job to work for a rival company. The documents contained personal information including the contact details and purchase history of customers and other commercially sensitive information.
Upon receipt of a complaint, the ICO investigated and brought proceedings against Mr Lloyd. Mr Lloyd subsequently pleaded guilty to unlawfully obtaining the data and was prosecuted at Telford Magistrates’ Court on 26 May 2016 under section 55 of the Data Protection Act. As well as a criminal record he received a fine of £300 and was ordered to pay a victim surcharge of £30 and £405.98 costs.
Following the successful prosecution, Steve Eckersley, head of enforcement at the ICO said: “Taking client records that contain personal information to a new job, without permission, is a criminal offence. Employees need to be aware that documents containing personal data they have produced or worked on belong to their employer and are not theirs to take with them when they leave. Don’t risk a day in court by being ignorant of the law.”
What does this mean for you or your business?
Safeguarding personal data is important for any business. This case shows that not only are the ICO prepared to impose sanctions against businesses who breach the DPA, but it will also willingly prosecute individual employees guilty of the same.
It is key for employers to understand that their remedy in respect of an employee’s breach of data protection is not limited purely to a civil claim to enforce the contractual duty of confidentiality or any restrictive covenants contained within employees contracts of employment. It is also open to the company to make a complaint to the ICO which may in turn lead to the criminal prosecution of the individual concerned. This is an added deterrent to individuals who may be thinking about making off with confidential data in the future.
What do you need to be doing now?
Businesses should make sure that their data protection policies are up to date and that employees are aware of, and have had training in relation to, their contents. In addition employees should be made aware of the DPA itself and what that means for them. Training sessions should highlight that in addition to internal disciplinary procedures and civil claims, there may also be criminal sanctions for those in breach of the DPA.
If you have any concerns or would like some more information on the Data Protection Act, please call or email us.
These notes have been prepared for the purpose of an article only. They should not be regarded as a substitute for taking legal advice.