It is not just businesses that need to worry about the consequences of a data breach.
The Information Commissioner’s Office (“ICO”) has warned all those who have access to personal data after two employees were convicted and fined when found guilty of unlawfully accessing information.
Both cases were prosecuted under section 55 of the Data Protection Act 1998 (now repealed), which states that a person must not knowingly or recklessly, without the permission of the data controller, access or disclose personal data. (A similar provision is included as section 170 of the Data Protection Act 2018.)
In the first case, an NHS employee with access rights to personal records viewed the data of several family members and children known to her without a professional need to do so. She admitted to offences and was fined £1,000, as well as being ordered to pay towards prosecution costs and a victim surcharge.
The second case concerned an employee who, before resigning from her role, forwarded several emails containing personal data of customers and other employees from her work to her personal email account. She was fined £200, as well as being ordered to pay towards prosecution costs and a victim surcharge.
The second prosecution will be of particular help to employers faced with an employee who has taken customer or client information with them when they leave. While carefully drafted restrictive covenants and ongoing confidentiality obligations in the contract of employment can have a deterrent effect, enforcing the terms can be expensive and time consuming.
The data protection offences the ICO’s interest in prosecuting them, operate as an additional deterrent to those thinking of taking customer or client information with them when they leave. This is especially the case for individuals in regulated sectors such as law and finance, for whom any convictions could potentially have a significant impact of their careers.
“People expect that their personal information will be treated with respect and privacy. Unfortunately, there are those who abuse their position of trust and the ICO will take action against them for breaking data protection laws.”
Mike Shaw, who ICO criminal investigations team
Employers should consider warning employees explicitly about the criminal consequences of unlawfully obtaining personal data – and also that any such behaviour will be reported to the regulator with a view to prosecution.
It remains to be seen how many more cases like this will arise. Mike Shaw, who heads up the ICO’s criminal investigations team, has however emphasised that this will be an area of ongoing concern for the regulator.