People working with personal data have this week been reminded and warned by the Information Commissioner’s Office (the ICO) that they must obey strict data protection laws after a charity worker was successfully prosecuted for sending personal data to his private email account.
The defendant (who was employed by The Rochdale Connections Trust) sent 11 emails from his work email account in February 2017, which contained the sensitive personal data of 183 people. The personal data included full names, dates of birth, telephone numbers and medical information. Further investigation showed that he had sent a similar database to his personal account in June 2016.
The employee was ordered to pay a fine of £1,860.25 after pleading guilty at Preston Crown Court to unlawfully obtaining personal data under section 55 of the Data Protection Act. Perhaps more significantly for the employee, he also left court with a criminal record.
Commenting on the case, the Head of Enforcement at the ICO, which brought the prosecution, said that “people have a right to expect that when they share their personal information with an organisation, it will be handled properly and legally…People whose jobs give them access to this type of information need to realise that just because they can access it, that doesn’t mean they should”.
This case is a reminder that the ICO can and will take enforcement action to change the behaviour of organisations and individuals that collect, use and keep personal data. This includes criminal prosecution, non-criminal enforcement and audit. The ICO also has the power to impose a monetary penalty on a data controller (in this case the Trust) of up to £500,000, although this will rise under the new GDPR in May 2018 to up to 4% of annual global turnover or €20 Million (whichever is greater) for the most serious breaches.
No action appears to have been taken against the Trust itself, and there is no suggestion of wrongdoing on its part but, as a data controller, it must comply with the eight data protection principles set out in Schedule 1 to the Data Protection Act. This includes the requirement that personal data must be secure and appropriate technical and organisational measures taken against unauthorised or unlawful processing or use. However, the impact of data loss or breaches may go far beyond the financial loss imposed (or not) by a fine and may bring adverse publicity to the data processor and damage the reputation of its business with its employees, stakeholders and the public.
The protection of your business starts with having effective data protection systems in place, to enable the quick detection of potential data breaches, within a framework of robust employment policies and procedures. This will become even more important when the GDPR comes into force, when organisations will need to be able to demonstrate compliance through ‘privacy by design’. Those policies must be understood and adhered to by employees and applied consistently by the employer to instil a culture of appropriate and lawful behaviour across its entire workforce. Disciplinary action can and should therefore be taken whenever appropriate.