Even a relatively small data protection breach can have serious consequences for those involved. An individual was fined £850 plus costs in a recent case.
Facts of the case
An apprentice at Southwark Council was investigated by the Information Commissioner’s Office (ICO) for breaching section 55 of the Data Protection Act 1998. The ICO found that the employee, who was working in the schools admissions team at the time, took a screenshot of a spreadsheet that contained information about children who were eligible for free school meals.
Included in the screenshot image were the names, National Insurance numbers, dates of birth and addresses of 37 children and their parents. The individual, who had received data protection training, sent the image via Snapchat to the separated parent of one of the children, along with a copy of an admission record for another pupil.
At Westminster Magistrates’ Court, the employee pleaded guilty to three counts of illegally obtaining and disclosing personal data. She was fined £850 by the Court and ordered to pay prosecution costs of over £700.
With the EU’s General Data Protection Regulation (GDPR) coming into effect in May 2018, data protection laws are becoming even more stringent. When it comes to personal data – like the data that was involved in this case – breaches represent a serious legal failure.
The onus is on all employers to ensure their staff are properly trained in data protection, and to act with transparency in the event of a breach. Where an individual gets it wrong, they can be prosecuted and face personal liability, as in this case. Employees handling personal data as part of their duties need to take particular care to prevent unauthorised disclosure and should request proper training from their employer if this is not provided.