Home
Internal
Global
Contatto
The ICO has warned employees that they might face a criminal prosecution if they access or share personal data without a ‘valid business reason’. The warning was issued after the Birmingham Magistrates’ Court fined two workers in separate cases for breaching data protection laws. Both cases were subject to the Data Protection Act 1998.
The Information Commissioner’s Office (ICO) is an independent authority set up to promote data privacy and uphold information rights in the UK, and can bring criminal prosecutions, non-criminal enforcements and conduct audits against organisations and individuals that breach data protection laws.
The defendant was employed at the Heart of England NHS Foundation Trust when they illegally accessed the personal records of 14 individuals. Under their employment, the defendant was authorised to access certain personal records.
However, internal investigations found them to have accessed personal data of several family members and children known to them between February and August 2017. Their employer confirmed that there was no business need for them to access this personal data.
The defendant pled guilty to breach of section 55 (unlawful obtaining of personal data) of the Data Protection Act 1998 and was fined £1000, with a £50 victim surcharge and £590 towards prosecution fees, as per the penalties and fees in section 60 of the Data Protection Act 1998.
The defendant, an ex-employee of V12 Sports and Classics Ltd pled guilty to breach of section 55 (unlawful obtaining of personal data) of the Data Protection Act 1998. The defendant was found to have forwarded several work emails containing personal data of customers and other employees to her personal email account in August 2017, weeks before resigning from her role with the employer. The defendant was ordered to pay a fine of £200, with a £30 victim surcharge, and £590 toward prosecution costs, in line with the penalties and fees prescribed in section 60 of the Data Protection Act 1998.
In WM Morrison Supermarkets Plc v Various Claimants [2018] EWCA Civ 2339 the English Courts confirmed that an employer would be vicariously liable for data breaches by ‘rogue’ employees if breach of data in question is sufficiently connected to the individual’s employment, and there is a close connection between the task assigned to the individual and the breach. This decision was upheld by the English Court of Appeal. The Morrison Supermarkets judgement was issued in terms of the Data Protection Act 1998, but there is nothing to suggest that this reasoning would be invalid under the Data Protection Act 2018 (which implements the GDPR).
In terms of Cases One and Two mentioned above, it can only be assumed that the ICO chose not to bring any action against the employers because while the close connection test would probably be satisfied, these were relatively low-risk incidents. Information about whether the employers had taken all necessary precautions to limit the possibility of such a breach taking place is unavailable in the official report and transcripts of the cases are currently unavailable.
A limited number of criminal enforcement cases, including the cases above, are still being dealt with under the provisions of section 55 of the Data Protection Act 1998. This is because of the time when the breach of the legislation occurred. The GDPR was introduced into domestic UK legislation, through the Data Protection Act 2018, and brought into force on 25th May 2018. This means that all data breaches after this date will be governed by the 2018 Act.
As previously mentioned, it is unclear from the facts in the above mentioned Case One and Two if the employers discovered the breach but as discussed above, employers can be held strictly liable for the actions of employees that lead to breaches of data protection while they are under employment. Penalties for breaches under the 2018 Act are:
It is thus important for employees to ensure that processes are in place to prevent employees from breaching data protection law. This can be done by ensuring that adequate training and safeguarding processes are in place to deal with personal data lawfully and ensuring that third party processors have appropriate security measures in place to protect personal data.
Jan Eberhardt
Invia richiesta
Emma Vickers
