The Information Commissioner's Office ("ICO") has recently prosecuted an employee who illegally transferred information about company clients to his email account before starting to work for a competitor. The employee sent the sensitive information including personal data and purchase history of 957 customers of the waste management company he was working for to his personal email address.

The unlawful obtaining or disclosing of personal data or the information contained in personal data is a criminal offence under section 55 of the Data Protection Act 1998. It can be penalized by way of a fine up to £5,000 in the Magistrates Court or an unlimited fine in the Crown Court. The employee was fined £300 and ordered to pay a victim surcharge of £30 and costs of £405.98.

This follows the ICO taking action earlier on this year under the same section after an ex-employee of the insurance company, "LV=", attempted to get an existing employee of LV= to sell customer data to him. He was fined £300 and ordered to pay a victim surcharge of £30 and costs of £614.40. Another employee was fined £1000 and ordered to pay a victim surcharge of £100 and costs of £8654.40 after selling almost 28,000 customer records from the car rental company she worked for, for £5,000.

COMMENT

  • It is useful to remember that criminal liability may attach to breaches of the Data Protection Act 1998 (in addition to civil liability).   
  • Companies would be well-advised to notify the ICO if they have a concern about an individual misusing personal data, especially employees who have access to customer data and/or are moving to competitors. Where they do so, it will help avoid criticism for covering up or not taking proper action to remedy a data breach.  
  • The recent action taken by the ICO comes at a time when it is calling for stronger sentencing power for people convicted of stealing personal data, including custodial sentences.