Employee's Use of Personal Data

Background

The Information Commissioners Office (ICO), has bought four prosecutions over the past seven months against employees who have illegally accessed and disclosed personal data held by their employer. These have led to fines of up to £4,391. More significantly from a personal perspective, at least three of the relevant employees are no longer in their post following such illegal access.

The ICO has made clear that it wants more effective deterrent sentences, including the threat of prison, to be available to the courts to stop the unlawful use of personal information.

Chris Grayling, Secretary of State for Justice, wrote to Keith Vaz last month advising that the public will be consulted as to whether there should be custodial sentences for breaches of the Data Protection Act 1998 (DPA).

The Law

Unlawfully obtaining or disclosing personal data is a criminal offence under section 55 of the DPA. The offence is punishable by way of ‘fine only’ - up to £5,000 in a Magistrates Court or an unlimited fine in a Crown Court.

The DPA also requires:

that personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes ("2nd DPP"); and

a data controller to implement appropriate technical and organisational measures and a level of security appropriate to the harm that may result from unauthorised or unlawful processing or accidental loss, destruction or damage of personal data and the nature of the personal data to be protected ("7th DPP").

Lessons from such Prosecutions

Lessons to be learned from the recent prosecutions and fines include:

  • employers must give appropriate data protection training to their staff regarding the DPA, including the 2nd DPP and 7th DPP. This is to try to ensure employees do not access personal data unless required to do so as part of their job. We suggest this should be done as part of an employee's induction and also covered in the employer's contract of employment and / or data protection policy. Upon becoming aware of a breach of the DPA, amongst other things, prompt remedial action should be taken;
  • employees must note that illegally accessing and distributing personal data is not just morally wrong, it is a breach of the law. It can lead to you losing your job and / or being fined by a court. If any prosecution is publicised, prospective employers may find out via online searches;
  • judging from the increase in prosecutions, this is an area that the ICO is becoming increasingly active in. The ICO has publically stated that 'we need a more appropriate penalty for the crime of personal data theft. With the law as it stands, this prosecution isn’t even recorded on the police national computer which means that an offender could apply for a job in a high street bank tomorrow and the potential employer wouldn’t be informed about the offence. The current 'fine only' regime is clearly not deterring people from breaking the law'.

Nathaniel Lane is a Solicitor in Michelmores' Technology, Media and Communications Team who has an ISEB Certificate in Data Protection. For further information on this matter or data protection generally, please contact Nathaniel at nathaniel.lane@michelmores.com or on 0207 788 6313.