The Information Commissioner’s Office (ICO) is warning those who work with personal data that they must obey privacy laws in order to avoid prosecution and large fines which are set to become even more substantial under the forthcoming General Data Protection Regulation (GDPR) comes into force in 2018. The warning has come following a charity employee who has been prosecuted for data protection offences.
The employee, employed by Rochdale Connections Trust, has been ordered to pay a total of £1,860.25 and a victim surcharge of £15 after pleading guilty at Preston Crown Court to unlawfully obtaining personal data under section 55 of the Data Protection Act. He was also given a conditional discharge for two years.
Following an investigation, it was discovered that the employee had sent 11 emails to his personal email account on 22 February 2017 containing information which related to 183 Trust clients, three of whom were children, which included their names, dates of birth, telephone contact details and full medical records. It was also revealed that he had sent similar emails to his personal accounts the previous year on 14 June 2016.
Steve Eckersley, Head of Enforcement at ICO, stated: "People whose jobs give them access to this type of information need to realise that just because they can access it, that doesn’t mean they should".
The ICO can take action (including criminal prosecution) against organisations and individuals that process personal data. This includes the power to impose financial penalties on a data controller of up to £500,000.
Like the DPA, the GDPR includes the principle that personal data must be protected against unauthorised or unlawful processing. However, when the GDPR comes into force on 25 May 2018, employers will have the additional duty of accountability and will need to evidence their compliance with the regulations by showing they have policies and procedures in place to ensure that unauthorised and unlawful processing does not take place.
In addition, it is important that employers take proactive steps to promote best practice within their organisations by training staff on the consequences of misusing personal data and how to avoid non-compliance. Reviewing contracts, policies and procedures in relation to data protection will go a long way to help ensure that employers are GDPR ready, and help to avoid heavy financial sanctions being made against their employees.