Utilizziamo cookies e tecnologie similari per migliorare l’esperienza all’interno del sito e offrire all’utente un servizio di maggior valore. I cookie presenti su questo sito sono cookie tecnici per garantire il funzionamento del sito e cookie analitici, anche di terze parti, utilizzati da noi e dai nostri partner per misurare le performance del Sito e capire i contenuti che vi interessano. Per accettare i cookie clicca «accetta i cookie analitici». Per rifiutare i cookie clicca «rifiuta i cookie analitici». Per maggiori informazioni ti invitiamo a leggere la nostra Cookie Policy.

ICO issues warnings over access of personal data without a ‘valid business reason’


The ICO has warned employees that they might face a criminal prosecution if they access or share personal data without a ‘valid business reason’. The warning was issued after the Birmingham Magistrates’ Court fined two workers in separate cases for breaching data protection laws. Both cases were subject to the Data Protection Act 1998.

  • Who is the ICO?

  • Case  One

  • Case Two

  • Employers’ Liability

  • Why are these cases subject to the Data Protection Act 1998?

  • Conclusion

Who is the ICO?

The Information Commissioner’s Office (ICO) is an independent authority set up to promote data privacy and uphold information rights in the UK, and can bring criminal prosecutions, non-criminal enforcements and conduct audits against organisations and individuals that breach data protection laws.

Case  One

The defendant was employed at the Heart of England NHS Foundation Trust when they illegally accessed the personal records of 14 individuals.  Under their employment, the defendant was authorised to access certain personal records.

However, internal investigations found them to have accessed personal data of several family members and children known to them between February and August 2017. Their employer confirmed that there was no business need for them to access this personal data.

The defendant pled guilty to breach of section 55 (unlawful obtaining of personal data) of the Data Protection Act 1998 and was fined £1000, with a £50 victim surcharge and £590 towards prosecution fees, as per the penalties and fees in section 60 of the Data Protection Act 1998.


Case Two

The defendant, an ex-employee of V12 Sports and Classics Ltd pled guilty to breach of section 55 (unlawful obtaining of personal data) of the Data Protection Act 1998.  The defendant was found to have forwarded several work emails containing personal data of customers and other employees to her personal email account in August 2017, weeks before resigning from her role with the employer.  The defendant was ordered to pay a fine of £200, with a £30 victim surcharge, and £590 toward prosecution costs, in line with the penalties and fees prescribed in section 60 of the Data Protection Act 1998.

Employers’ Liability

In WM Morrison Supermarkets Plc v Various Claimants [2018] EWCA Civ 2339 the English Courts confirmed that an employer would be vicariously liable for data breaches by ‘rogue’ employees if breach of data in question is sufficiently connected to the individual’s employment, and there is a close connection between the task assigned to the individual and the breach. This decision was upheld by the English Court of Appeal.   The Morrison Supermarkets judgement was issued in terms of the Data Protection Act 1998, but there is nothing to suggest that this reasoning would be invalid under the Data Protection Act 2018 (which implements the GDPR).

In terms of Cases One and Two mentioned above, it can only be assumed that the ICO chose not to bring any action against the employers because while the close connection test would probably be satisfied, these were relatively low-risk incidents.  Information about whether the employers had taken all necessary precautions to limit the possibility of such a breach taking place is unavailable in the official report and transcripts of the cases are currently unavailable.


Why are these cases subject to the Data Protection Act 1998?

A limited number of criminal enforcement cases, including the cases above, are still being dealt with under the provisions of section 55 of the Data Protection Act 1998.  This is because of the time when the breach of the legislation occurred.   The GDPR was introduced into domestic UK legislation, through the Data Protection Act 2018, and brought into force on 25th May 2018.  This means that all data breaches after this date will be governed by the 2018 Act. 



As previously mentioned, it is unclear from the facts in the above mentioned Case One and Two if the employers discovered the breach but as discussed above, employers can be held strictly liable for the actions of employees that lead to breaches of data protection while they are under employment.  Penalties for breaches under the 2018 Act are:

  • administrative fines up to 10 000 000 EUR; or 
  • in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. 

It is thus important for employees to ensure that processes are in place to prevent employees from breaching data protection law.  This can be done by ensuring that adequate training and safeguarding processes are in place to deal with personal data lawfully and ensuring that third party processors have appropriate security measures in place to protect personal data.



Contact Person Picture

Jan Eberhardt

+44 0121 2278963

Invia richiesta

Contact Person Picture

Emma Vickers

+44 0121 2278963

Invia richiesta

 Rödl & Partner UK

Discover more about our offices in the United Kongdom. Read more »

 Data Protection Bites

Our newsletter aims at collecting updates, news and insights on data protection matters worldwide, with a special focus on the GDPR. Read all releases »
Deutschland Weltweit Search Menu