It is not just businesses that need to worry about the consequences of a data breach.

The Information Commissioner’s Office (“ICO”) has warned all those who have access to personal data after two employees were convicted and fined when found guilty of unlawfully accessing information.

Both cases were prosecuted under section 55 of the Data Protection Act 1998 (now repealed), which states that a person must not knowingly or recklessly, without the permission of the data controller, access or disclose personal data. (A similar provision is included as section 170 of the Data Protection Act 2018.)

In the first case, an NHS employee with access rights to personal records viewed the data of several family members and children known to her without a professional need to do so. She admitted to offences and was fined £1,000, as well as being ordered to pay towards prosecution costs and a victim surcharge.

The second case concerned an employee who, before resigning from her role, forwarded several emails containing personal data of customers and other employees from her work  to her personal email account. She was fined £200, as well as being ordered to pay towards prosecution costs and a victim surcharge.


The second prosecution will be of particular help to employers faced with an employee who has taken customer or client information with them when they leave. While carefully drafted restrictive covenants and ongoing confidentiality obligations in the contract of employment can have a deterrent effect, enforcing the terms can be expensive and time consuming.

The data protection offences the ICO’s interest in prosecuting them, operate as an additional deterrent to those thinking of taking customer or client information with them when they leave. This is especially the case for individuals in regulated sectors such as law and finance, for whom any convictions could potentially have a significant impact of their careers.

“People expect that their personal information will be treated with respect and privacy. Unfortunately, there are those who abuse their position of trust and the ICO will take action against them for breaking data protection laws.”

Mike Shaw, who ICO criminal investigations team

Employers should consider warning employees explicitly about the criminal consequences of unlawfully obtaining personal data – and also that any such behaviour will be reported to the regulator with a view to prosecution.

It remains to be seen how many more cases like this will arise. Mike Shaw, who heads up the ICO’s criminal investigations team, has however emphasised that this will be an area of ongoing concern for the regulator.


FREE first advice

Have you ever wanted to just ask an expert employment law solicitor if they can help you, without worrying about what it may cost to contact them?

Get in touch

We’d like to talk to you to see what we can do to help, so please either call us anytime for free on 08000 614 631, email us or use the form below.

Together we can work out what your next steps might confidence, at no cost and with no obligation.


* indicates required
McCabe and Co Solicitors will use the information you provide on this form to be in touch with you and to provide updates and marketing. Please let us know all the ways you would like to hear from us:
You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, or by contacting us at We will treat your information with respect. For more information about our privacy practices please visit our website. By clicking below, you agree that we may process your information in accordance with these terms.
We use Mailchimp as our marketing platform. By clicking below to subscribe, you acknowledge that your information will be transferred to Mailchimp for processing. Learn more about Mailchimp's privacy practices here.