This summer’s newspaper headlines were dominated by the phone hacking scandal, and other questionable – and arguably unlawful – tactics used by journalists to get their hands on a scoop. One such method is blagging – this is where a person impersonates another, with a view to extracting personal or confidential information about the person so impersonated.
As far as journalists are concerned, unlawfully obtaining personal data by deception – for example telephoning an organisation and pretending to be someone else in order to extract personal data – is (amongst others) an offence under the Data Protection Act 1998. However, it can also be an offence for a person to knowingly or recklessly disclose that information, so your employees could be caught out too. Where found guilty, the individual can face a fine and/or imprisonment. But what are the implications for the employer? Of course, there is a risk of reputational damage, but additionally, where the offence can be put down to the employer’s failure to comply with the eight “data protection principles”, the Information Commissioner can theoretically impose a fine on the employer too.
So what steps can you, as an employer, take to protect your organisation and your employees?
Every business which deals with customer or client personal data should have clear policies in place to govern how that information should be dealt with, and employees’ obligations in respect of personal data – for example, what steps are your employees required to take to check customers and clients who contact you by telephone are who they say they are? Such policies, though, are not worth the paper they are written on if they are not imparted to employees – so make sure that all your staff are familiar with your policies and know what to do and who to speak to if they are unsure about disclosing information. As an organisation, you should also make sure you comply with the eight “data protection principles”, in particular that there are appropriate security measures to protect personal data (such as encrypting data, and restricting access to only certain employees).
No offence is committed by the individual if disclosure is in the public interest. As we all know though, there is a world of difference between what is in the public interest and what is of interest to the public, so it is always better to minimise the legal and reputational risks of a claim in the first place by having procedures and policies in place, and making sure your employees receive relevant training.