The Information Commissioner’s Office has exercised its right to bring criminal prosecutions against two individuals who were found guilty of breaching data protection laws at Birmingham Magistrates Court earlier this month.
In the first case, an employee of Heart of England NHS Foundation Trust (HEFT) unlawfully accessed the personal records of 14 individuals between February 2017 and August 2017.
An internal investigation found that the employee had viewed personal data of seven family members and seven children known to her. Although she was authorised to access records on HEFT’s systems, there was no business need for her to do so on these occasions and therefore, she broke data protection law.
The employee pleaded guilty to breaching s55 and s60 of the Data Protection Act 1998 when she appeared at Birmingham Magistrates’ Court on 15 March 2019. She was fined £1,000, with a £50 victim surcharge, and was ordered to pay £590 towards prosecution costs.
In a separate case, the Court heard that Jayana Morgan Davis, forwarded several work emails containing personal data of customers and other employees to her personal email account in August 2017, weeks before resigning from her role at V12 Sports and Classics Ltd. She was fined £200, with a £30 victim surcharge, and was ordered to pay £590 towards prosecution costs after admitting to three offences of unlawfully obtaining personal data.
These cases demonstrate that the Information Commissioner’s Office is increasingly using its enforcement powers to bring criminal prosecutions against individuals, who face significant fines, if convicted, of accessing or sharing personal data without a valid reason. All employers should have data protection policies in place which sets out a framework for lawful data handling. Those whose jobs involve handling the data protection of others should be provided with adequate training on their legal responsibilities.