Former employee prosecuted for transferring client information unlawfully and upcoming Data Protection changes.
An employee who transferred client information held by his company to his personal email account before moving to his new job at a competitor company has been prosecuted by the Information Commissioner’s Office (ICO).
The ICO prosecuted the individual under section 55 of the Data Protection Act 1998, and he was fined for the breach. The email he sent to himself contained highly sensitive information including contract details, order history and payment details of the company’s clients.
This is not the first time the ICO has prosecuted an individual due to data protection breaches. Another former employee was fined for trying to obtain personal data without the consent of the data controller.
It’s important to remember that the ICO do have the power to prosecute for breaches of the Data Protection Act 1998 and such action could become more frequent in the future given the UK’s adoption of the new EU General Data Protection Regulation (GDPR). This will not only affect how companies deal with client data but also how they handle and process employee data. The GDPR is expected to take effect in the first half of 2018.
Many of the GDPR’s main concepts and principles are similar to those in the current Data Protection Act 1998. However, there are new elements and highly significant enhancements that employers need to be aware of, such as:
- Employers will have to give extensive information to their employees when obtaining personal data from them. This will include information on how employers intend to use the data, why the data is required and being processed, how long the information will be retained for and how to raise a complaint with the ICO if they are unhappy about how their data is being used.
- Obtaining consent to data processing within an employee’s employment contract is likely to be considered insufficient in terms of the GDPR. Consent given by an employee can be withdrawn at any time given employees will have the right to object where their consent is used as a legal basis for processing their data. Consent will have to be freely given, specific, unambiguous and informed.
- Data subject access requests will be made easier for employees and without payment of a fee, and employers will have a maximum of one month to respond.
- A self-reporting regime will be introduced whereby employers need to notify data protection breaches which result in a risk to the rights of employees to the ICO within 72 hours. If there is a high risk to the rights of the employee, then the employee also must be notified.
- Employees can insist on the deletion of their data in certain circumstances, or that the data is changed.
- Employers will need to be able to demonstrate that they are data protection compliant including by way of records and policies.
- Penalties for breaches of data protection obligations are significantly increased – potentially up to 4% of your total turnover!
Now is the time to take stock of your data processing practices. If you have any data protection concerns, please contact Gareth McKnight.