Latest insights from our experts
Case Update – Former Employee Prosecuted by ICO for Unlawfully Obtaining Client Data
The Information Commissioner’s Office (ICO) has announced that a former employee of a recruitment agency in Widnes has been prosecuted for the offence of unlawfully obtaining data.
Rebecca Gray emailed personal data of around 100 potential and existing clients to her personal email address. Ms Gray subsequently left her employment and started a new job with a rival recruitment agency. She then used the personal data to make contact in her new job.
The ICO prosecuted Ms Gray for unlawfully obtaining data. At the hearing at Warrington Magistrates Court, Ms Gray pleaded guilty to the offence under section 55 of the Data Protection Act 1998 (DPA). She was fined £200, ordered to pay £214 prosecution costs and a £30 victim surcharge.
This is a cautionary tale for employees and a reminder that everyone has a duty to comply with data protection obligations. An employee who emails personal data to a private email account is effectively ‘processing’ the data and, if done without authority, could be deemed unlawful even if they do nothing further with it. This case also demonstrates the risk to employers where employees use non-work email accounts or personal electronic devices for work purposes. Any breach of the DPA by an employee could lead to the employer, as well as the culpable employee, being prosecuted by the ICO.
It is important that your employees are fully aware of their obligations under the DPA through regular training and a clear DPA policy. You should consider whether to allow employees to use personal email addresses and electronic devices for work purposes and, if so, have a clear policy on use so that your customers’ data is protected.
For further advice contact our specialist employment team on 01392 207020 or e-mail firstname.lastname@example.org.