Charity worker fined for unlawfully obtaining personal data from his employer

The Information Commissioner’s Office (ICO) is warning those who work with personal data that they must obey privacy laws in order to avoid prosecution and large fines which are set to become even more substantial under the forthcoming General Data Protection Regulation (GDPR) comes into force in 2018. The warning has come following a charity employee who has been prosecuted for data protection offences.

The employee, employed by Rochdale Connections Trust, has been ordered to pay a total of £1,860.25 and a victim surcharge of £15 after pleading guilty at Preston Crown Court to unlawfully obtaining personal data under section 55 of the Data Protection Act. He was also given a conditional discharge for two years.

Following an investigation, it was discovered that the employee had sent 11 emails to his personal email account on 22 February 2017 containing information which related to 183 Trust clients, three of whom were children, which included their names, dates of birth, telephone contact details and full medical records. It was also revealed that he had sent similar emails to his personal accounts the previous year on 14 June 2016.

Steve Eckersley, Head of Enforcement at ICO, stated: "People whose jobs give them access to this type of information need to realise that just because they can access it, that doesn’t mean they should".

The ICO can take action (including criminal prosecution) against organisations and individuals that process personal data. This includes the power to impose financial penalties on a data controller of up to £500,000.

Like the DPA, the GDPR includes the principle that personal data must be protected against unauthorised or unlawful processing. However, when the GDPR comes into force on 25 May 2018, employers will have the additional duty of accountability and will need to evidence their compliance with the regulations by showing they have policies and procedures in place to ensure that unauthorised and unlawful processing does not take place.

In addition, it is important that employers take proactive steps to promote best practice within their organisations by training staff on the consequences of misusing personal data and how to avoid non-compliance. Reviewing contracts, policies and procedures in relation to data protection will go a long way to help ensure that employers are GDPR ready, and help to avoid heavy financial sanctions being made against their employees.  

CONTACT CHRIS

If you would like more information or advice relating to this article or an Employment law matter, please do not hesitate to contact Chris Cook on 01727 798089.

Want to know more?

Click here to view SA Law's dedicated GDPR hub page for more practical information, views and insight from our expert teams. 

Read our latest views & insight about the GDPR
GDPR Numbers Image SA Law
Views & Insights
GDPR one year on

Subject access requests and complaints have been commonplace since the GDPR came into effect. Find out more about the trends and traps.

Read More
SA Law Red arrow neon light image
Views & Insights
What to expect in Data Protection Law in 2019

Our Data Protection Team highlight what we can expect to see from the Data Protection Act in 2019 and the potential impact of E-Privacy Regulations.

Read More
SA Law Red arrow neon light image
Views & Insights
Google issued with £44m fine over GDPR breach

Head of Employment and Data Protection, Chris Cook, explains Google's GDPR breach that led to landmark £44 million fine.

Read More
SA Law Red arrow neon light image
Views & Insights
What is the difference between a controller and processor under the Data Protection Act 2018?

Partner and Head of Employment & Data Protection, Chris Cook describes how to distinguish between a processor and controller under GDPR.

Read More
SA Law Red arrow neon light image
Views & Insights
GDPR - 6 Months On

Partner and Head of Employment & Data Protection Chris Cook comments on the impacts of GDPR over the past 6 months.

Read More
SA Law Red arrow neon light image
Views & Insights
ICO publishes passwords and encryption guidance

Partner, Chris Cook, identifies the new ICO guidance on passwords in online services and encryption under GDPR.

Read More
Stained glass window Employment SA Law
Views & Insights
GDPR and SARs; staying compliant and protected

Partner and Head of Employment & Data Protection, Chris Cook writes in Education Executive about the GDPR and SARs.

Read More
Red arrow light
Views & Insights
Divorce and the GDPR

In the Financial Times Adviser, Marilyn and Chris discuss the implications of being jointly instructed by one party in the proceedings.

Read More

© SA LAW 2019

Every care is taken in the preparation of our articles. However, no responsibility can be accepted to any person who acts on the basis of information contained in them alone. You are recommended to obtain specific advice in respect of individual cases.