Fine for theft of employer’s personal data
Can departing employees be fined for stealing their employer's personal data? Even if the theft is relatively "minor"?
Daniel Short, a former recruitment consultant, left his employment at VetPro Recruitment in October 2017 and set up his own rival business called VetSelect. VetPro heard of Mr Short’s new company and had concerns regarding the integrity of the database VetPro used to recruit vets and nurses. This database contained the personal data of over 16,000 people. VetPro subsequently contacted Mr Short to enquire if he had taken information from VetPro’s database when leaving its employment. Mr Short confirmed he had taken some personal data, claiming it was for his own “record of achievement”. The matter was then reported to the ICO. During its investigation, the ICO discovered that Mr Short had stolen the personal data of 272 individuals from VetPro’s database and used these details for his own commercial gain.
Mr Short pleaded guilty before Exeter Magistrates’ Court to unlawfully obtaining personal data under section 55 of the Data Protection Act 1998. Mr Short was fined £355, ordered to pay costs of £700 and also ordered to pay a victim surcharge of £35.
Why is this important?
While this case is not of significant financial value and was not heard before one of the higher courts of the land, it demonstrates that both the ICO and the UK courts are willing to prosecute breaches of data protection laws, even for smaller offences. Mike Shaw, Criminal Investigations Manager at the ICO confirmed that “Data Protection laws are there for a reason and the ICO will continue to take action against those who abuse their position”.
Any practical tips?Ensure that your data protection policies and procedures are up to date and compliant with data protection law. This case confirms that the ICO is willing to investigate and pursue even the smallest breach of data protection law. Above all, reminding employees (especially departing ones) about the implication of the unauthorised copying of personal data (in particular the criminal implications) may be a neat way of stopping a potential data breach before it even happens.