From recent prosecutions it seems that the Information Commissioner's Office (ICO) is a body to be taken seriously. Not only has it continued to bring enforcement action against organisations for data protection breaches, it also seems recently to have ramped up prosecutions against individuals for unlawfully obtaining client data.
A former waste disposal employee, Mr Lloyd, has been prosecuted by the ICO under section 55 of the Data Protection Act 1998 for transferring information about 957 clients of his employer, before moving to a new job with a competitor. The information transferred included personal data in the form of contact details and the purchase history of customers.
Unlawfully obtaining or accessing personal data is a criminal offence under section 55. The offence is punishable by way of a fine. Mr Lloyd was fined £300, and ordered to pay a victim surcharge of £30 and £405.98 in costs.
In April 2016, the ICO brought a similar prosecution against an employee who had attempted to obtain personal data without the consent of the data controller. At that time the ICO gave a warning that "anyone who tried to unlawfully obtain, disclose or sell personal data should expect to see themselves hauled before a court".
Whilst the fines issued to date have not been of high value, the recent prosecutions are likely to be an indicator of things to come and the threat of criminal sanctions could be an additional string in an employer's bow when discouraging employees from misusing the employer's information.
Further, although sanctions are currently limited to fines, the ICO continues to call for more effective deterrent sentences, including the threat of prison, to be available to the courts to stop the unlawful use of personal information. These recent prosecutions should be taken as a strong warning to employees to think twice before taking commercially sensitive information containing personal data to a new employer – the risks aren't simply financial; they may end up facing a criminal record.