If you are an employer and are worried about how to prevent your employees taking customer data when they leave or you are an employee who is thinking of taking customer data on departure, please be aware that in the UK there are several recent decisions you should read.
Firstly the Information Commissioner’s Office published a warning that employees that walk off with personal information of their employer when changing jobs is a criminal offence. This warning was made on the day a paralegal, who had previously worked at a law firm in Yorkshire was prosecuted for illegally taking the sensitive information of over 100 people before leaving for a rival firm. The information was contained in 6 emails by James Pickles in the weeks before he left the firm. Pickles had hoped to use the information, which included workload lists, file notes and template documents that still contained sensitive personal data, in his new role.
Pickles was prosecuted under section 55 of the Data Protection Act 1998 and fined and ordered to pay prosecution costs.
Stephen Eckersley, the ICO Head of Enforcement said “stealing personal information is a crime. Employees may think work related documents that they have produced or worked on belong to them and so they are entitled to take them when they leave. If they include people’s details, then taking them without permission is breaking the law.”
Unlawfully obtaining or accessing personal data is punishable by way of “fine only” of up to £5,000 in a Magistrates Court or an unlimited fine in a Crown Court, The ICO continues to call for more effective deterrent sentences including the threat of prison.
Apart from the theft of personal data, in the recent case of Intercity Telecom Limited v Solanki, the Birmingham Mercantile Court (part of the Queen’s Bench Division) heard a case brought against Mr Solanki, who had in the last few weeks of his employment downloaded from his employer’s network, a large volume of customer records onto memory sticks which he took away.
He used the downloaded information to entice away Intercity’s customers for the benefit of their competitors. This case was brought against Mr Solanki on the basis that he had infringed the database rights of the Claimants as well as breaching his duty of confidence and his employment contract. Whilst this case did not centre on unlawfully obtaining personal data it could well have done.