hello@kilgannonlaw.co.uk

Our team is ready to answer any questions

0800 915 7777

Book your consultation today

Can employees be prosecuted for data protection breaches

A new law came into force in the UK in May 2018, which outlines that employees can face prosecution for data protection breaches. As with previous legislation, the new law (the Data Protection Act 2018) contains provisions making certain disclosure of personal data a criminal offence. The Information Commissioner’s Office has prosecuted several individuals in the last couple of years for misusing personal information obtained from their workplaces.


The old Data Protection Act 1998

The previous data protection act (the “DPA 1998”) criminalised knowingly or recklessly obtaining, disclosing or procuring personal data without the consent of the data controller, and the sale or offering for sale of that data (section 55).

Section 55 was most often used to prosecute those who had accessed healthcare and financial records without a legitimate reason.


Examples of employees being prosecuted for data protection breach

In recent years there have been several cases of employees being prosecuted for breaching data protection regulations.


Example one:

A former GP practice manager was fined for sending personal data to her own email account without authorisation.

Shamim Sadiq worked at Hollybrook Medical Centre in Littleover, Derby, but was suspended on 3 November 2017 for unrelated matters and dismissed later that month.


Sadiq, of Carlton Road, Derby, admitted unlawfully accessing personal data and received a £120 fine, plus £364 prosecution costs and a victim surcharge of £30.


Example two:

A recruitment consultant emailed the personal data of approximately 100 clients and potential clients to her personal email address, before leaving the organisation. She then used this information to contact those individuals in her new job.


When her ex-employer discovered this, it informed the Information Commissioner’s Office which brought a case against Ms Gray under section 55. Having pleaded guilty to the offence, she received a £200 fine and ordered to pay £214 prosecution costs plus a £30 victim surcharge.


The case,  R v Rebecca Gray shows how the legislation can be used by employers faced with a data breach by an employee or ex-employee.


Example three:

An employee of Heart of England NHS Foundation Trust (HEFT) unlawfully accessed the personal records of 14 individuals between February 2017 and August 2017, and received a fine accordingly.


An internal investigation found that the employee had viewed personal data of seven family members and seven children known to her. Although she was authorised to access records on HEFT’s systems, there was no business need for her to do so on these occasions and therefore she broke data protection law.


The employee pleaded guilty to breaching section 55 and section 60 of the Data Protection Act 1998 when she appeared at Birmingham Magistrates’ Court on 15 March 2019. She was ordered to pay a £1,000 fine with a £50 victim surcharge and was ordered to pay £590 towards prosecution costs.


The General Data Protection Regulation and the Data Protection Act 2018

The General Data Protection Regulation (GDPR) is an EU regulation dealing with data protection and privacy, as well as the transfer of personal data outside the EU, which applies to all EU citizens.


It replaced the former European data protection directive which had been in place since 1995. The GDPR came into force automatically in the UK on the 25 May 2018. The requirements of the GDPR were enacted into UK law by the Data Protection Act 2018, which came into force on the same day.


Because GDPR has been enacted into domestic legislation by Parliament, its provisions will continue to apply after Brexit, unless the Data Protection Act 2018 is amended.


GDPR and the Data Protection Act 2018 repeat and build upon section 55 of the 1998 Data Protection Act by adding the offence of knowingly or recklessly retaining personal data (which may have been lawfully obtained) without the consent of the data controller (usually the employer).


Although prosecutions by the Information Commissioner’s Office (ICO) are still relatively rare, it seems likely that it will continue to pursue individuals through the Courts, particularly where a complaint has been made.


The ICO will decide whether or not to bring a GDPR related prosecution in the Courts; it will usually notify the individual concerned in writing of its intention to do so. This would usually be followed by a formal summons to Court for trial.


Employment law issues surrounding data protection breaches

Data controllers are subject to increasingly stringent requirements and, potentially far harsher penalties by the Information Commissioner. For example, they must notify, the Information Commissioner within 72 hours of any data breach concerning personal data held by them.


Consequently, employers are likely to regard a workplace data protection breach more seriously themselves. With litigation and reputational risks increasing, employers may be tempted to discipline their workers more harshly for a breach, and treat them as gross misconduct. This would allow the employer to dismiss without notice or pay in lieu of notice where such a breach is proven.


Preventing an employee data breach

Ideally, employers will now be focusing on prevention rather than cure when it comes to employee data handling. This can be achieved by ensuring regular and adequate training for relevant staff about legislation such as GDPR, and putting in place clear and properly communicated policies.


Employees need to be very clear about their obligations and if in doubt should ask for clarification from managers as to the extent of their responsibilities and for further training, if it is felt this is needed.


Where an employee has particular concerns about the security of their employer’s personal data, they should raise these immediately.

An employee should never send personal data obtained at work to their own or any other third party, other than as expressly authorised by their employer.

 

  • If you have any further questions regarding employees being prosecuted for data protection breaches or how the new data protection laws, including GDPR, will impact your organisation, please do not hesitate to get in touch with our team of employment law specialists.


A man and a woman are giving each other a high five in front of a wind turbine.

UK Flexible Working Rights: Employees Gain More Control in 2024

By Marianne Wright 05 Apr, 2024
Flexible working arrangements, such as hybrid work, flexitime, and compressed hours, have become increasingly desirable for employees looking to balance work and their personal lives. As of April 6th, 2024, UK employment law has undergone significant updates to empower employees with greater flexibility and control over their work lives.
a woman is writing on a tablet while using a laptop .

2024 Employment Law Updates: What You Need to Know

By Matthew Kilgannon 20 Mar, 2024
Every April, the Government reviews and makes changes to employment laws, including a review of financial rates. Below we set out a summary of the proposed changes coming into effect in April and beyond.
A woman is giving a glass of water to a man.

Bullying in the Workplace – why we need a little R.E.S.P.E.C.T

By Marianne Wright 19 Mar, 2024
Bullying in the workplace is a serious issue for workers (29% of whom will experience workplace bullying at some point1), and for employers (bullying is estimated to cost UK businesses £18 billion a year2 and to contribute to the loss of over 17 million working days each year3).
A man in a suit is sitting at a desk with a laptop and talking on a cell phone.

What witnesses should I call in an Employment Tribunal?

By Louise Maynard 28 Feb, 2024
If you're an employee bringing a claim against your employer in an employment tribunal, you may be wondering who you should call as witnesses. Here are some things to consider when making your decision:
a man in a wheelchair is sitting at a desk with a woman standing next to him .

Protecting Employee Rights: UK Employment Law and Discrimination against Mental Health Conditions and Disabilities

By Marianne Wright 20 Feb, 2024
In the modern workplace, fostering a culture of inclusivity and ensuring equal treatment for all employees is a crucial aspect of employment law. Discrimination based on disabilities (which can include mental health conditions) is strictly prohibited in the United Kingdom. This article explores the legal framework in UK employment law that safeguards employees against discrimination and highlights the consequences faced by employers who fail to uphold these important principles.
a man is sitting at a desk in a dark room using a laptop computer. GDPR

Data Protection Breaches at Work: Legal Consequences for Employees

By Emily Kidd 06 Feb, 2024
In an era of heightened data protection awareness and stringent regulations like the General Data Protection Regulation (GDPR), employees play a critical role in safeguarding personal data. This article explores the legal consequences that employees may face in the United Kingdom when implicated in data protection breaches at the workplace.
person holding up a mental health book and in a discussion

Well-being Initiatives and UK Employment Law Introduction

By Yeing-Lang Chong 22 Jan, 2024
In recognition of the importance of employee well-being, employers in the UK are increasingly implementing well-being initiatives to support the mental health and overall well-being of their workforce. These initiatives, which can include employee assistance programs (EAPs) and wellness programs, aim to provide support, resources, and interventions that enhance employee well-being. This article explores the legal framework surrounding well-being initiatives in UK employment law and highlights the benefits and considerations for employers when implementing such programs.
Female employee getting harassed at work by a colleague

Combating Harassment: Employer Duties under UK Employment Law Introduction

By Marianne Wright 19 Jan, 2024
Creating a safe and respectful work environment is a fundamental aspect of UK employment law. This article explores the legal obligations placed on employers to address workplace harassment, highlighting the measures they should take to promote a culture of respect and protect their employees' mental health.

Handling Mental Health Disclosures in the Workplace: Employer Obligations under Employment Law in England and Wales

By Emily Kidd 04 Dec, 2023
In recent years, there has been increasing recognition of the importance of mental health in the workplace. Employment law acknowledges the sensitive nature of mental health disclosures and places obligations on employers to handle such disclosures with care, confidentiality, and without discrimination. This article explores the legal framework surrounding mental health disclosures in the workplace, emphasising the responsibilities employers have in safeguarding employee privacy and ensuring a supportive and inclusive environment.

GDPR Compliance in HR: Best Practices for Safeguarding Employee Data

By Emily Kidd 04 Dec, 2023
The General Data Protection Regulation (GDPR) revolutionised the way organisations handle personal data, and for Human Resources (HR) departments in the United Kingdom, compliance is paramount. This article provides a comprehensive exploration of best practices for HR to safeguard employee data and ensure GDPR compliance in the workplace.
More Posts
Share by: