Most of us have a clause in the contract reminding employees that the data they work with is confidential and not to be taken outside of the company. (If you don’t, give me a call!)
However, if you do have an ex-employee who you discover has taken your client data to a rival company or to set up on their own behalf, then an effective way to deal with it – especially with GDPR on the way – is to report the breach to the Information Commissioner’s Office (ICO).
They enforce the Data Protection Act and will also enforce GDPR from 25 May this year.
In May 2016 the ICO successfully prosecuted a Mr Lloyd (L), a ex-employee of Acorn Waste Management.
Before leaving his employment at AWM to start work with a rival company, Mr Lloyd, sent an e-mail containing the details of 957 of his employer’s clients to his personal e-mail address.
The e-mail contained personal data, such as client contact details, their purchase history and other commercially sensitive information.
Mr Lloyd pleaded guilty to unlawfully obtaining personal data, was fined £300 and ordered to pay £406 in costs and a £30 victim surcharge.
At the end of 2016, Karun Tandon was also successfully prosecuted.
Tandon, who previously worked at Lex Autolease Ltd, used his work computer to access the personal data records of 551 customers who had been involved in road traffic accidents.
He then emailed those details to his personal email address and subsequently sold them to a third party as personal injury leads. He was prosecuted for unlawfully obtaining personal data and unlawfully selling personal data. He pleaded guilty and was fined £500 and ordered to pay costs of £364.
In 2011, two T-Mobile employees were fined £45,000 for passing nearly 500,000 customer details onto a competitor.
In 2013, Paul Hedges was fined £3,000 after he accessed his employer’s customer details with the intention of setting up a rival business.
Tip. It’s completely irrelevant how personal data is removed from your control – exactly the same principles would have been applied if the data had been downloaded to a USB flash drive or physically photocopied.
Where you reasonably suspect that an individual has removed confidential information on leaving your employment, and this includes third parties’ personal data, you might be able to obtain some leverage over them by threatening to report the matter to the ICO.
We can send them a letter threatening to contact the ICO.
A Sufficient Deterrent?
Although a fine from the ICO can potentially be unlimited, in practice it’s probably going to be modest.
This will change when GDPR comes into force on 25 May 2018.
However, whilst the deterrent effect of reporting an employee to the ICO may well be limited, most people certainly won’t want to risk having a criminal record as well as the adverse publicity it will attract.
Be aware however, that if there is a data breach, you as the employer will need to prove that you have trained staff on data protection and were aware of their personal legal obligations.
Having a clause in the contract will NOT be enough to prove that you were not negligent in keeping data safe.
Hope this helps – if you’ve got any questions, give me a shout.