There has been much highlighting of the high level fines which can be imposed under the GDPR for data protection breaches. What is less known is that individuals can be prosecuted and subject to fines for data protection offences on a personal basis. This has been the case for some time under s.55 of the Data Protection Act 1998, which made it an offence to obtain, disclose or procure the disclosure of personal data without the consent of the data controller, or to sell such data. This provision is now replicated in s.170 of the Data Protection Act 2018, which adds retaining data without consent as an offence.
A number of prosecutions for such offences have been reported recently by the ICO, which were carried out under the 1998 Act due to the offences occurring prior to the GDPR coming into force.
These include:
- A local authority employee whose partner had applied for an administrative job at the same council. He was not involved in the recruitment process because of their relationship, but accessed the recruitment system and obtained information about the other shortlisted candidates. This included their names, addresses, phone numbers, CVs and referee contact details. He emailed this information to his work email address and also his partner’s personal email address. He was charged with unlawfully sharing data under s.55 and fined £660, ordered to pay £713.75 of costs and a victim surcharge of £66. The employee also resigned his position after his actions were discovered. His partner had initially been successful in the recruitment, but her employment was terminated as it was considered the process in which she was appointed was invalid.
- An NHS employee was charged with breach of s.55 after accessing the records of patients unlawfully. She was authorised to access the system, but accessed records of 7 adults and 7 children who were known to her without a business need to do so. She pled guilty and was fined £1,000, a £50 victim surcharge, and was ordered to pay £590 towards prosecution costs.
- An employee at a car dealership forwarded work emails containing personal data of customers and colleagues to her personal email address, then resigned just weeks later. She pled guilty to a breach of s55 and was fined £200, with a £30 victim surcharge, and was ordered to pay £590 towards prosecution costs.
- A GP Practice manager who had been suspended (due to unrelated matters) sent an email containing details of candidates for a vacant position at the surgery to her personal account the day following her suspension without a business reason for doing so. She was fined £120 with victim surcharge of £30 and ordered to pay £364 in costs.
These cases illustrate the potential consequences of data protection breaches for employees. As well as being subject to potentially unlimited fines or imprisonment, consequences can go beyond this to, for example, loss of employment or reputational damage. Cases which gain media attention could also affect future career prospects if an employee is considered to be untrustworthy with personal data, particularly given the potential implications for their employers who may be vicariously liable for their actions (see our blog on vicarious liability for more information – although it should be noted that this decision is currently being appealed).
Given the potential for vicarious liability, employers may be concerned about how to prevent employees from acting in a manner which breaches data protection law and potentially has consequences for the business.
Data protection breaches are frequently dealt with under disciplinary procedures, and may be cause for dismissal if the employee’s conduct is sufficiently serious. However, as with any dismissal, all the circumstances have to be considered and factors which may be of relevance are whether the employee knew that their actions were a breach of data protection rules, or had been warned previously about such conduct.
Employee training can be a useful way of ensuring employees are aware of what amounts to a breach and what action they can take in order to avoid causing a data breach. Individuals should also be aware of their responsibilities and the possibility of personal consequences if they act in breach of data protection legislation.