A new law came into force in the UK in May 2018, which outlines that employees can face prosecution for data protection breaches. As with previous legislation, the new law (the Data Protection Act 2018) contains provisions making certain disclosure of personal data a criminal offence. The Information Commissioner’s Office has prosecuted several individuals in the last couple of years for misusing personal information obtained from their workplaces.
The old Data Protection Act 1998
The previous data protection act (the “DPA 1998”) criminalised knowingly or recklessly obtaining, disclosing or procuring personal data without the consent of the data controller, and the sale or offering for sale of that data (section 55).
Section 55 was most often used to prosecute those who had accessed healthcare and financial records without a legitimate reason.
Examples of employees being prosecuted for data protection breach
In recent years there have been several cases of employees being prosecuted for breaching data protection regulations.
A former GP practice manager was fined for sending personal data to her own email account without authorisation.
Shamim Sadiq worked at Hollybrook Medical Centre in Littleover, Derby, but was suspended on 3 November 2017 for unrelated matters and dismissed later that month.
Sadiq, of Carlton Road, Derby, admitted unlawfully accessing personal data and received a £120 fine, plus £364 prosecution costs and a victim surcharge of £30.
A recruitment consultant emailed the personal data of approximately 100 clients and potential clients to her personal email address, before leaving the organisation. She then used this information to contact those individuals in her new job.
When her ex-employer discovered this, it informed the Information Commissioner’s Office which brought a case against Ms Gray under section 55. Having pleaded guilty to the offence, she received a £200 fine and ordered to pay £214 prosecution costs plus a £30 victim surcharge.
The case, R v Rebecca Gray shows how the legislation can be used by employers faced with a data breach by an employee or ex-employee.
An employee of Heart of England NHS Foundation Trust (HEFT) unlawfully accessed the personal records of 14 individuals between February 2017 and August 2017, and received a fine accordingly.
An internal investigation found that the employee had viewed personal data of seven family members and seven children known to her. Although she was authorised to access records on HEFT’s systems, there was no business need for her to do so on these occasions and therefore she broke data protection law.
The employee pleaded guilty to breaching section 55 and section 60 of the Data Protection Act 1998 when she appeared at Birmingham Magistrates’ Court on 15 March 2019. She was ordered to pay a £1,000 fine with a £50 victim surcharge and was ordered to pay £590 towards prosecution costs.
The General Data Protection Regulation and the Data Protection Act 2018
The General Data Protection Regulation (GDPR) is an EU regulation dealing with data protection and privacy, as well as the transfer of personal data outside the EU, which applies to all EU citizens.
It replaced the former European data protection directive which had been in place since 1995. The GDPR came into force automatically in the UK on the 25 May 2018. The requirements of the GDPR were enacted into UK law by the Data Protection Act 2018, which came into force on the same day.
Because GDPR has been enacted into domestic legislation by Parliament, its provisions will continue to apply after Brexit, unless the Data Protection Act 2018 is amended.
GDPR and the Data Protection Act 2018 repeat and build upon section 55 of the 1998 Data Protection Act by adding the offence of knowingly or recklessly retaining personal data (which may have been lawfully obtained) without the consent of the data controller (usually the employer).
Although prosecutions by the Information Commissioner’s Office (ICO) are still relatively rare, it seems likely that it will continue to pursue individuals through the Courts, particularly where a complaint has been made.
The ICO will decide whether or not to bring a GDPR related prosecution in the Courts; it will usually notify the individual concerned in writing of its intention to do so. This would usually be followed by a formal summons to Court for trial.
Employment law issues surrounding data protection breaches
Data controllers are subject to increasingly stringent requirements and, potentially far harsher penalties by the Information Commissioner. For example, they must notify, the Information Commissioner within 72 hours of any data breach concerning personal data held by them.
Consequently, employers are likely to regard a workplace data protection breach more seriously themselves. With litigation and reputational risks increasing, employers may be tempted to discipline their workers more harshly for a breach, and treat them as gross misconduct. This would allow the employer to dismiss without notice or pay in lieu of notice where such a breach is proven.
Preventing an employee data breach
Ideally, employers will now be focusing on prevention rather than cure when it comes to employee data handling. This can be achieved by ensuring regular and adequate training for relevant staff about legislation such as GDPR, and putting in place clear and properly communicated policies.
Employees need to be very clear about their obligations and if in doubt should ask for clarification from managers as to the extent of their responsibilities and for further training, if it is felt this is needed.
Where an employee has particular concerns about the security of their employer’s personal data, they should raise these immediately.
An employee should never send personal data obtained at work to their own or any other third party, other than as expressly authorised by their employer.
If you have any further questions regarding employees being prosecuted for data protection breaches or how the new data protection laws, including GDPR, will impact your organisation, please do not hesitate to get in touch with our team of employment law specialists.