In each edition, we intend to provide a brief round up of notifiable enforcement action taken by the ICO. Firstly we turn to a prosecution taken by the ICO which is of interest due to the impending appeal of the Morrisons Supermarket case.

Employee of Nuneaton and Bedworth District Council prosecuted for passing on personal information of job applicants

Kevin Bunsell, who was Head of Building Control at Nuneaton and Bedworth District Council has been sentenced at Nuneaton Magistrates’ Court to a fine of £660 (plus costs of £713.75 and a victim surcharge of £66) for passing the recruitment packs of job applicants on to his partner’s Hotmail address. At the time, his partner was applying for an administrative position at the council and the recruitment packs belonged to rival candidates. He was not part of the recruitment process on this occasion. He nonetheless accessed the council’s recruitment system to get hold of the packs which included the candidates’ names, addresses, telephone numbers, and CVs as well as contact details for their referees.

You will recall the Morrisons Supermarket case, which has already been heard in the Court of Appeal and is awaiting appeal to the Supreme Court. The background was that Andrew Skelton, a senior IT internal auditor employed by Morrisons, posted a file containing the personal details of 99,998 employees onto a file sharing website. The data included the name, address, gender, date of birth, phone numbers, national insurance number, bank account number, sort code, and salary of each employee. He then sent copies of a CD containing the same data to three newspapers, none of which published it. One newspaper alerted Morrisons to the data leak and within hours the website was taken down. Mr Skelton was sentenced to eight years’ imprisonment in the prosecution brought by the ICO.

In the action brought by the affected employees, it was found there was a sufficient connection between the position Mr Skelton held and his wrongful conduct for Morrisons to be held vicariously liable. The judgment in Morrisons makes it clear that the employee’s motive is irrelevant; an employer can be vicariously liable for deliberate wrongdoing by an employee.

In this case, so far only Mr Bunsell has been prosecuted. Following Morrisons, it seems likely that those employees who were affected by the data breach will have grounds to bring a claim against Nuneaton and Bedworth District Council under vicarious liability. Whether those grounds remain solid will depend on the outcome of Morrisons’ appeal to the Supreme Court.

Meanwhile, the ICO continues to focus on DSARS and marketing calls and emails. Magnacrest Limited has received a nominal fine of £300 for failing to comply with an Enforcement notice in relation to a DSAR. Leave.EU Group has received two fines (£45,000 and £15, 000), and Eldon Insurance Services Limited has been fined £60,000, for sending direct marketing emails without consent. Alistair Green Legal Services Limited has been fined £80,000 for making nuisance calls to subscribers.

The ICO has issued assessment notices to Leave.EU and Eldon Insurance Services Limited, and will now carry out an audit of their offices which will include reviewing their data protection practices and interviewing staff. The audit findings will be made public.

Investigations by the ICO into nuisance marketing have resulted in 16 company directors being banned from running a company for more than 100 years in total. The ICO has reached this key milestone by working in partnership with the Insolvency Service, referring evidence which can result in company directors being disqualified for up to 15 years. The PECR (Amendment) Regulations 2018 have the effect that the ICO now has powers to make company directors and other company officers (including the secretary, members and managers) personally liable for the fines imposed for illegal marketing. Individuals will no longer be able to hide behind the “corporate veil” by dissolving the company to avoid paying the fine, often called “Phoenixing”.