The Information Commissioner's Office ("ICO") has prosecuted a former employee for taking information about his previous employer's clients with him in advance of moving to a new job.
Under section 55 of the Data Protection Act 1998 ("DPA"), it is a criminal offence to obtain personal data without the consent of the data controller.
The case in hand
The employee worked for a waste management company, Acorn Waste Management Ltd ("Acorn"), but was due to move to a new job for a rival business. Before moving jobs, he sent an email to his personal email address (without Acorn's consent) containing information relating to 957 clients of Acorn, including their contact details and purchase history.
The ICO prosecuted the employee under section 55 of the DPA. The employee pleaded guilty at court and was fined £300 as punishment. The court also ordered the employee to pay a victim surcharge of £30 and costs of £405.98.
Commenting upon the prosecution, Steve Eckersley, the ICO's head of enforcement, said:
"Taking client records that contain personal information to a new job, without permission, is a criminal offence.
Employees need to be aware that documents containing personal data they have produced or worked on belong to their employer and are not theirs to take with them when they leave. Don’t risk a day in court by being ignorant of the law."
Employees should carefully consider their actions in relation to personal data when they change jobs. Employees should not think that they can take personal information of their previous employer's customers (or other employees) with them when they change jobs simply because they used that information when working for their previous employer.
This case should also be taken on board by employers, in particular encouraging them to provide data protection training to their employees. Such training would protect both employees, by explaining their responsibilities under the DPA, and employers - under the DPA, employers must process personal data safely and securely, and this obligation includes ensuring the that their employees use personal data reliably.
Harsher penalties in the future
The ICO is calling for more severe sentences to be available to the courts when punishing the unlawful use of personal data, including suspended sentences, community service and prison for the most serious cases. Firstly, the ICO wants such sentences introduced to further deter people from breaking data protection laws. Secondly, the ICO wants to overcome the potential limitations of just imposing fines; for example, where someone breaks data protection laws and loses their job as a result, they may not have any money to pay a sizeable fine, which the courts have to reflect in their sentence. Employees therefore should certainly watch this space.