Employees prosecuted for data offences
This year there have been reports of three separate prosecutions by the Information Commissioner’s Office (ICO) against former employees who obtained, or attempted to obtain personal data belonging to their former employers.
In April, the ICO prosecuted a former insurance company employee for attempting to obtain personal data without the data controller’s consent. The individual pleaded guilty to a breach of the Data Protection Act at Bournemouth Magistrates’ Court and was fined £300. He was also ordered to pay £614.40 costs and a £30 victim surcharge. According to the Bournemouth Echo, the man offered money to an ex-colleague in return for details of customers who has been involved in road accidents.
More recently, an employee who worked for a waste management company in Shropshire pleaded guilty to sending the details of almost 1000 clients to his personal email account before leaving to go and work for a rival company. According to the ICO, the documents contained personal information including the contact details of customers, purchase histories and other commercially sensitive information. The individual also received a similar fine and was ordered to pay costs and a victim surcharge.
Earlier this year, the Information Commissioner called for stronger sentencing powers in relation to anyone who is found guilty of stealing personal data. This followed the successful prosecution of a car rental company employee who sold data relating to car accidents. The individual had reportedly copied over 28,000 records and received over £5,000 for their sale. The individual received a fine of £1,000, £864.40 costs and a £100 victim surcharge.
Christopher Graham, Information Commissioner said, “With so much concern about the security of data, it is more important than ever that the courts have at their disposal more effective deterrent penalties than just fines. People who break the criminal law by trading in other people’s personal information need to know that they will be severely punished and could even go to prison.”
It is possible that criminal prosecutions against former employees who obtain or try to obtain personal data from their ex-employers may become more commonplace. Regardless of this, employers still need to ensure that they safeguard personal data and that employees are aware of their obligations to safeguard personal data as part of their jobs. A comprehensive data protection policy is important but employees should also receive training, at induction and at regular intervals to ensure that they are aware of their responsibilities. It is not only employees who face prosecution for breaches of the Data Protection Act, employers may also face prosecution if their systems and process are not adequate to prevent data breaches.
6 June 2016
©2016 SCRASE LAW LTD. THIS POST IS FOR GENERAL INFORMATION ONLY AND IS NOT ADVICE. YOU ARE RECOMMENDED TO SEEK COMPETENT PROFESSIONAL ADVICE BEFORE TAKING ANY ACTION ON THE BASIS OF THIS POST.