The Information Commissioner’s Office (ICO) has prosecuted a former employee who transferred confidential information about company clients before moving to a new job with an industry rival.
Although the fine and costs awarded against the individual in this case were comparatively low, compared with fines imposed on companies for breach of their data protection obligations, this criminal prosecution (and with it the risk of a criminal record) demonstrates that, if handled properly, the Data Protection Act 1998 (DPA) can provide businesses with an additional weapon in the fight to protect themselves from competitive attack by employees preparing to join or set up rival businesses. The employee was also named and shamed on the ICO’s website.
The employee sent details of 957 clients to his personal email address as he was leaving to start a new role at a rival company. The emails contained commercially sensitive information, including personal data in the form of contact details and the purchase history of customers.
The ICO brought the prosecution under section 55 DPA which provides a person must not knowingly or recklessly, without the consent of a data controller, obtain or disclose personal data (or the information contained in personal data) or procure the disclosure to another person of the information contained in personal data. The data controller in this case was the individual’s former employer.
On pleading guilty, the employee was fined and ordered to pay a victim surcharge and costs.
This is not the first prosecution under section 55, and it is a provision that is likely to take on increasing significance as employers battle against developing technology, enabling their confidential information to all too easily be taken by employees, joining or setting up rival businesses, without their consent and with relative ease.
In an ICO press release its Head of Enforcement commented:
“Employees need to be aware that documents containing personal data they have produced or worked on belong to their employer and are not theirs to take with them when they leave. Don’t risk a day in court by being ignorant of the law”.
In an earlier prosecution in April 2016, the ICO warned that “anyone who tries to unlawfully obtain, disclose or sell personal data should expect to see themselves hauled before the courts”. And whilst at present there is no threat of imprisonment for those found guilty, it is not out of the question if the Secretary of State follows recent calls from the ICO to bring into force the power in the DPA for custodial penalties to be imposed. In serious cases of data misuse, the threat of prison would certainly raise the stakes (see here).
The real power of section 55 DPA for employers will be in preventing an assault on their data in the first place – not simply relying on the ICO to sanction an individual after the event.
Taking steps now could stop any unlawful misappropriation of data (or any further disclosure of it) in its tracks, avoiding damage to an employer’s business and in many cases an inevitably acrimonious and costly legal battle. Key steps to take and consider include:
The threat of criminal prosecution under section 55 DPA is just one tool an employer can use to protect its business from data theft but it is one which raises the stakes for the alleged perpetrator.
If you have any questions, please do not hesitate to contact your usual OC contact.
