Most of us have a non-compete and confidentiality clause in the contract reminding employees that the data they work with is confidential and not to be taken outside of the company (if you don’t, give me a call!).
However, if you do have an ex-employee who you discover has taken your client data to a rival company or to set up on their own behalf, then an effective way to deal with it – especially with the GDPR (General Data Protection Regulation 2018) now in place – is to report the breach to the Information Commissioner’s Office (ICO), who will enforce the regulations.
You could try a civil prosecution against them, but that will cost a lot in legal fees and you would have to prove a loss. Much better to leave it to the ICO.
- In 2011, two T-Mobile employees were fined £45,000 for passing nearly 500,000 customer details onto a competitor.
- In 2013, Paul Hedges was fined £3,000 after he accessed his employer’s customer details with the intention of setting up a rival business.
- Mr Lloyd (L), a ex-employee of Acorn Waste Management (AWM), was successfully prosecuted.
- Before leaving his employment at AWM to start work with a rival company, L sent an e-mail containing the details of 957 of his employer’s clients to his personal e-mail address.
- The e-mail contained personal data, such as client contact details, their purchase history and other commercially sensitive information.
- L pleaded guilty to unlawfully obtaining personal data, was fined £300 and ordered to pay £406 in costs and a £30 victim surcharge.
- At the end of 2016, Karun Tandon was also successfully prosecuted.
- Tandon, who previously worked at Lex Autolease Ltd, used his work computer to access the personal data records of 551 customers who had been involved in road traffic accidents.
- He then emailed those details to his personal email address and subsequently sold them to a third party as personal injury leads.
- He was prosecuted for unlawfully obtaining personal data and unlawfully selling personal data. He pleaded guilty and was fined £500 and ordered to pay costs of £364.
- Daniel Short left the recruitment company he was working for, VetPro Recruitment, in October 2017 and a short time later set up his own similar company called VetSelect.
- During an investigation it was discovered that Short had stolen the details of 272 individuals from VetPro’s database for commercial gain.
- Short pleaded guilty to unlawfully obtaining personal data, was fined £355 and was ordered to pay costs of £700 as well as a victim surcharge of £35.
- Kim Doyle (KD) pleaded guilty to charges of conspiracy to secure unauthorised access to computer data, and to selling unlawfully obtained personal data. She was sentenced at Manchester Crown Court on 8 January 2021 to eight months’ imprisonment, suspended for two years.
- KD unlawfully compiled lists of road traffic accident data including partial names, mobile phone numbers and registration numbers despite having no permission from her employers. She then unlawfully transferred the data she obtained to William Shaw (WS), the director of an accident claims management firm. WS was also sentenced to eight months’ imprisonment, suspended for two years after pleading guilty to conspiracy to secure unauthorised access to computer data.
- They were both ordered to each carry out 100 hours’ unpaid work and contribute £1,000 costs.
- A Confiscation Order, under the Proceeds of Crimes Act, to recover benefit obtained as a result of the offending had been given by the Court in which KD must pay a benefit figure of £25,000 and WS must pay a benefit figure of £15,000. Both will face three months’ imprisonment if the benefit figures are not paid within three months.
It is important to note that it’s completely irrelevant how personal data is removed from your control – exactly the same principles would have been applied if the data had been downloaded to a USB flash drive or physically photocopied.
In our handbooks we have “sending company information to a private email address” as gross misconduct. So you could dismiss them for this breach of confidentiality as well as reporting them to the ICO.
Where you reasonably suspect that an individual has removed confidential information on leaving your employment, and this includes third parties’ personal data, you might be able to obtain some leverage over them by threatening to report the matter to the ICO.
We can send them a letter threatening to contact the ICO.
A Sufficient Deterrent?
A fine from the ICO can potentially be unlimited, and the penalties under GDPR are much worse than they were before.
However, whilst the deterrent effect of reporting an employee to the ICO may well be limited, most people certainly won’t want to risk having a criminal record as well as the bad publicity it will attract.
Be aware however, that if there is a data breach, you, as the employer, will need to prove that you have trained staff on data protection and that they were aware of their personal legal obligations.
Having a clause in the contract will NOT be enough to prove that you were not negligent in keeping data safe.