A recent enforcement action by the Information Commissioners Office (ICO) against a former customer services officer at Stockport Homes Limited (SHL) serves as a timely reminder to landlords (and others) to ensure that their staff are using personal data available to them in the course of their work appropriately.
The former employee of Stockport Homes Limited accessed SHL’s case management system 67 times during 2017 to look at antisocial behaviour cases despite the fact that she was not authorised to view such content and had no business need to do so. The offences were revealed during an audit of the former employee’s access to the case management system undertaken in light of concerns regarding her performance. The former employee resigned from SHL and was charged with unlawfully accessing personal data under section 55 of the Data Protection Act 1998. She pleaded guilty at Stockport Magistrates Court on 6 June 2019 and was ordered to pay a £300 fine, £364.08 in costs and a victim surcharge of £30.
Mike Shaw, Group Manager (Enforcement) at the ICO, said “People have the absolute right to expect that their personal information will be treated with the utmost privacy and in strict accordance with the UK’s data protection laws. Our prosecution of this individual should act as a clear warning that we will pursue and take action against those who choose to abuse their position of trust”.
This is the fifth reported criminal prosecution of an individual who has misused personal data accessed in their work capacity so far this year. This case was brought under the Data Protection Act 1998 because the offences to which it related were carried out in 2017; offences occurring on or after 25 May 2018 would be prosecuted under equivalent provisions set out in section 170 of the Data Protection Act 2018.
Whilst there was no suggestion that SHL itself fell short of the required standards under data protection legislation, this incident serves as a timely reminder to all landlords to ensure that they have appropriate data protection policies and procedures in place and that these are monitored and enforced where necessary. In particular, landlords must ensure that they provide all staff with data protection training both as part of their induction procedure and periodically throughout their employment. Landlords should also review internal arrangements for staff access to data and apply technical and organisational measures to ensure that access to personal data by staff is given on a need to know basis.
This article is from the summer 2019 issue of Room with a View, our newsletter aimed at professionals within the property industry.