Last month the Information Commissioner’s Office (ICO) published details of the most recent in a string of prosecutions brought against employees who have unlawfully obtained and/or misused personal data belonging to their employers.
Section 55 of the Data Protection Act 1998 makes it a criminal offence for employees to access and disseminate private data contained in their employer’s systems without the employer’s consent. Employers who fall victim to illicit data extraction by employees therefore have the option to approach, and assist in a prosecution brought by, the ICO or the police in response to the employee’s misconduct.
On 21 September 2017, the ICO reported that a former employee of Leicester City Council had pleaded guilty to unlawfully obtaining (and emailing to himself) the medical, care and financial records of individuals who had used Leicester City Council’s Adult Social Care Department. He had done so without the consent of his employer and with a view to setting up his own business. The former employee had breached section 55 of the Data Protection Act by misappropriating the personal data of 349 vulnerable people. He was fined £160 and ordered to pay £364 in prosecution costs and a £20 victim surcharge.
Earlier that month, a former data co-ordinator for the University Hospitals of North Midlands NHS Trust was prosecuted for accessing sensitive medical records of colleagues and local people. The Magistrates Court handed down a £700 fine and ordered the defendant to pay costs of £364 and a £70 victim surcharge.
In early August of this year, a former employee of Colchester Hospital University NHS Foundation Trust pleaded guilty to two offences under section 55 for (1) accessing the sensitive health records of 29 people, including friends and associates and (2) disclosing the accessed information to third parties. She was fined £400 for obtaining the personal data and £650 for disclosing it. The defendant was also ordered to pay prosecution costs of £600 and a victim surcharge of £65.
Finally, in late July of this year, a former employee of a Walsall based domestic services company was found to have emailed the CVs of 26 job applicants to a third party company without his employer’s consent. After pleading guilty to the section 55 offence, the defendant was fined £573 and ordered to pay £364 in costs and a £57 victim surcharge.
Advice for employers
Employers have a general duty to notify the ICO if an employee has committed a ‘serious’ breach of data security. The misuse of sensitive personal data, such as medical and financial records, is therefore likely to constitute a reportable incident.
If a prosecution is brought against the breaching employee then the employer’s conduct may also be called into question. If the employer has been negligent in its staff training and/or treatment of the relevant personal data then it could face enforcement action by the ICO and/or the courts.
The above cases and the prosecutions which came before them show a clear pattern of:
- employees seeking to exploit personal data belonging to their employers for their own gain; and
- employees with access to sensitive records letting curiosity (and lack of better judgement) get the better of them.
Prevention is therefore the best policy and all employees with access to customer or patient records (sensitive or otherwise) should be trained on how they can and cannot use that personal data. A prominent (and enforced) customer/patient data protection policy is the first line of defence for employers. A measured reminder of employees’ potential criminal liability for breach of section 55 of the Data Protection Act should act as a strong deterrent to would-be offenders.
It should be remembered that it is potentially unlawful to use the threat of making a report against the individual to the ICO or police as leverage in compromise negotiations with a current or former employee.
Potential liability for employees
All offences under the Data Protection Act are currently punishable by fine only. In principle, a person convicted of breaching section 55 of the Data Protection Act can be subject to an unlimited fine. In practice, the Magistrates Court will set the fine by reference to the Magistrates’ Court Sentencing Guidelines. The fines in the above referenced cases therefore give a good indication of the potential liability faced by defendants.
Section 77 of the Criminal Justice and Immigration Act 2008 allows the Secretary of State to increase the maximum penalty for breach of section 55 of the Data Protection Act from a fine to up to 2 years’ imprisonment but to date the Secretary of State has yet to make an order bringing this increase into effect. It may be that we start seeing stricter penalties for these types of offences, particularly if they become increasingly common in our digitally connected world.
If you have any data protection enquiries, including concerns about misuse of personal data by employees, then please do not hesitate to contact Laura Trapnell on 02380 482114 or by email or myself on 02380 482316 or email me.