The Information Commissioner’s Office (ICO) has prosecuted a former employee who transferred confidential information about company clients before moving to a new job with an industry rival.
Risk of criminal prosecution
Although the fine and costs awarded against the individual in this case were comparatively low, compared with fines imposed on companies for breach of their data protection obligations, this criminal prosecution (and with it the risk of a criminal record) demonstrates that, if handled properly, the Data Protection Act 1998 (DPA) can provide businesses with an additional weapon in the fight to protect themselves from competitive attack by employees preparing to join or set up rival businesses. The employee was also named and shamed on the ICO’s website.
The offending act: emailing commercially sensitive information
The employee sent details of 957 clients to his personal email address as he was leaving to start a new role at a rival company. The emails contained commercially sensitive information, including personal data in the form of contact details and the purchase history of customers.
The ICO brought the prosecution under section 55 DPA which provides a person must not knowingly or recklessly, without the consent of a data controller, obtain or disclose personal data (or the information contained in personal data) or procure the disclosure to another person of the information contained in personal data. The data controller in this case was the individual’s former employer.
On pleading guilty, the employee was fined and ordered to pay a victim surcharge and costs.
‘Don’t risk a day in court by being ignorant of the law’
This is not the first prosecution under section 55, and it is a provision that is likely to take on increasing significance as employers battle against developing technology, enabling their confidential information to all too easily be taken by employees, joining or setting up rival businesses, without their consent and with relative ease.
In an ICO press release its Head of Enforcement commented:
“Employees need to be aware that documents containing personal data they have produced or worked on belong to their employer and are not theirs to take with them when they leave. Don’t risk a day in court by being ignorant of the law”.
In an earlier prosecution in April 2016, the ICO warned that “anyone who tries to unlawfully obtain, disclose or sell personal data should expect to see themselves hauled before the courts”. And whilst at present there is no threat of imprisonment for those found guilty, it is not out of the question if the Secretary of State follows recent calls from the ICO to bring into force the power in the DPA for custodial penalties to be imposed. In serious cases of data misuse, the threat of prison would certainly raise the stakes (see here).
Preventing misuse of your confidential information – do your employees know what is at stake?
The real power of section 55 DPA for employers will be in preventing an assault on their data in the first place – not simply relying on the ICO to sanction an individual after the event.
Taking steps now could stop any unlawful misappropriation of data (or any further disclosure of it) in its tracks, avoiding damage to an employer’s business and in many cases an inevitably acrimonious and costly legal battle. Key steps to take and consider include:
- Make employees aware that a criminal prosecution could be brought against them if personal data is misappropriated by them. Employers often draw attention to contractual provisions which apply to protect their business following the end of employment in termination letters; as an additional deterrent, they should also now consider adding wording to these letters, and any applicable policies and procedures, confirming that the ICO (and, any appropriate regulatory body) will be notified if it is suspected that data has been obtained or disclosed without consent.
- Include the threat of notification to the ICO (and, any appropriate regulatory body) in any letters to a former employee and a new employer where unlawful misappropriation is suspected. A new employer who consents or connives in, or is negligent in respect of the employee’s misuse of data, will also be criminally liable.
- Keep a particularly careful watch over an employee’s activities on any electronic systems in a period following notice of termination being given by either party. Is an individual accessing records which are not directly relevant to their day to day job; or perhaps accessing high volumes of data?
- Ensure your house is in order – with the General Data Protection Regulation coming into force in Summer 2018, imposing greater and more prescriptive obligations on data controllers and data processers, now is the time to start preparing. Employers should consider the following:
- What personal data is held?
- How is it stored and protected?
- Who has access to it?
- What is the legal basis relied on in order to hold and process such data?
- An employer will be a data controller in many instances, with the accompanying obligation to put in place measures to protect the personal data they control from any vulnerability. The ICO currently has the power to impose a monetary penalty on a data controller of up to £500,000 and when the GDPR is in force, the maximum penalty for non-compliance will increase to EUR20 million or, if higher, 4% of an undertaking’s worldwide turnover.
The threat of criminal prosecution under section 55 DPA is just one tool an employer can use to protect its business from data theft but it is one which raises the stakes for the alleged perpetrator.
If you have any questions, please do not hesitate to contact your usual OC contact.