Employee fined over £1,800 for taking personal data from his employer

A charity employee pleaded guilty to unlawfully obtaining personal data under s.55 of the Data Protection Act 1998 and was ordered to pay £1,860.25.

What happened?

On 22 February 2017, an employee of Rochdale Connections Trust sent 11 emails to his personal email account. Those emails contained spreadsheets of information of about 183 vulnerable people, three of whom were children. The information included highly sensitive details such as full names, contact details, dates of birth and medical information. It also came to light that the employee had sent similar information to his personal email account the previous year.  His employer was unaware of his actions.

He pleaded guilty to unlawfully obtaining personal data under s.55 of the Data Protection Act 1998 and was ordered to pay prosecution costs of £1,845.25 and a victim surcharge of £15. He was also given a conditional discharge for two years.

Comment

With employers currently focussed on preparing for the General Data Protection Regulation (GDPR), which will apply from 25 May 2018, this judgment serves as a reminder not only that individuals can be personally liable for data protection breaches but also of what could have been for the employer in this case had they been aware of the breach.

No action was taken against Rochdale Connections Trust because there was no sign of any wrong-doing by them. However, even under current data protection legislation all data controllers have a duty to ensure the personal data they hold is secure and that appropriate technical and organisational measures are taken against unauthorised or unlawful processing or use, and that duty will continue under the GDPR.

In the event of an infringement of the Data Protection Act the Information Commissioner’s Office currently has the power to impose a fine of up to £500,000. However, under the GDPR, potential fines could be up to €10 million or up to 2% of the data controller’s total worldwide annual turnover (whichever is greater) or up to €20 million or up to 4% of the data controller’s total worldwide annual turnover (whichever is greater) for the most serious breaches.

As part of their preparation for the GDPR, employers are advised to review all internal procedures to reduce the risk of potentially costly data breaches.