The Information Commissioner’s Office (‘ICO’) has successfully brought a prosecution against Rochdale Connections Trust worker, Robert Morrisey, for copying and sharing sensitive personal data without authorisation.
This is further proof of the ICO’s apparent heightened efforts in recent months to pursue criminal prosecutions against individuals. Importantly however, employers should also take note of how such enforcements can be used to help protect their organisation’s valuable personal data.
What did Mr Morrisey do wrong?
He admitted to sending 11 emails from his work email account to his personal account in February this year, and further emails from a similar database in 2016. These emails contained information which related to 183 people, including three children. The information transferred included full names, dates of birth and telephone numbers, which constitute ‘personal data’, and medical information, which constitutes ‘sensitive personal data’ under the current data protection legislation.
This copying and sharing of this personal data breached a provision of the Data Protection Act 1998 (‘DPA’) which seeks to prevent the unlawful obtaining of personal data without the consent of the Data Controller (the Trust, in this instance).
Is this the first time the ICO has bought similar proceedings against an individual?
Earlier this year, the ICO prosecuted a recruitment consultant, Rebecca Grey, for data theft, after she sent the contact details of approximately 100 existing and potential clients to her own personal email account when she joined a rival recruitment agency.
It is clear that the ICO will not shy away from prosecuting individuals who clearly breach the DPA, and the latest prosecution of an employee working for a registered charity shows that the ICO will not discriminate when prosecuting individuals for breaches of the DPA – all employees of all sectors need to be aware of the ICO’s enforcement powers.
What effect does this prosecution have on Mr Morrisey?
The conviction of Mr Morrisey left him with a two years conditional discharge and an order to pay nearly £2,000 in prosecution costs and a victim surcharge. More far reaching than the fine however is the criminal record that Mr Morrisey will have as a consequence of breaching the DPA and therefore compromising his ability to continue working in his chosen sector.
Why should this decision matter for employers?
First and foremost, where an employee breaches the DPA, there is potential negative reputational damage for the employer, even where they are not at fault. This damage is amplified however in industries where personal data is a key asset, such as the charities sector in Mr Morrisey’s case, or the recruitment sector in Ms Grey’s. The loss of goodwill from those whose personal data has been disclosed without authorisation can have a substantial detrimental effect on an organisation.
What therefore can employers learn from the cases involving Mr Morrisey and Ms Grey, and what measures can they introduce to negate any harmful repercussions of such a personal data breach?
1) Policy, Education and Training
Employers should take proactive steps to create clear and well communicated policies relating to the security of personal data and employee’s obligations in relation to that data. Raising awareness of such policies, from the Board down to operational staff, is a significant factor in reducing the risk of personal data being disclosed without authorisation.
Employees should also be made aware that any deliberate breaches of these policies will be dealt with in accordance with the organisation’s disciplinary policy, which can lead to disciplinary action up to eventual termination of employment.
2) Practical measures
Simple practical steps can be taken by employers to reduce the risk of personal data being disclosed without authorisation. This can include limiting access to databases/personal data to those who strictly need access using passwords and access rights. Employers should keep passwords updated regularly, particularly once an employee is in the process of leaving, or has left, the organisation, and especially if any personal data is stored in the cloud. Moreover, employers should ensure that all personal data held is up to date and if it is no longer required, or the legal basis on which they were processing data (for example, the consent from legacy donors to charities) is no longer valid, then it should be deleted from their systems.
3) Prepare for a personal data breach
Whilst employers should take all reasonable measures to avoid any unauthorised disclosure of personal data, the risk of a rogue employee doing something that they are not authorised to do in connection with personal data always remains. Employers should prepare therefore for such an eventuality by implementing internal reporting procedures and potential remedial steps to respond to any unauthorised disclosures.
If such a disclosure was made, then employers could seek to reduce any reputational damage by responding swiftly to the breach, preventing any further loss and informing the ICO or data subject where required (please see our article on Data breaches under the GDPR for more information).
4) Inform exiting employees of their obligations
Many employers are unaware that employees who disclose personal data without authorisation can be pursued in other ways than simply relying on restrictive covenants in employment contracts. Whilst making a complaint to the ICO would take the matter out of the employer’s hands (in other words, it is up to the ICO if the matter is pursued or not), explaining to an existing employee that the employer has the right to do this, is likely to make that employee think twice before doing anything they should not in connection with any personal data.
The General Data Protection Regulation (‘GDPR’)…
With the impending introduction of the GDPR in May 2018, the importance to employers of safely and compliantly processing personal data has arguably never been more significant. This, coupled with the ICO’s clear willingness to punish those individuals that deliberately breach legislation and potentially cause reputational damage to organisations, means employers should be taking steps now to protect the personal data it records, uses and stores.