Can employees be prosecuted for data protection breaches

A new law came into force in the UK in May 2018, which outlines that employees can face prosecution for data protection breaches. As with previous legislation, the new law (the Data Protection Act 2018) contains provisions making certain disclosure of personal data a criminal offence. The Information Commissioner’s Office has prosecuted several individuals in the last couple of years for misusing personal information obtained from their workplaces.

The old Data Protection Act 1998

The previous data protection act (the “DPA 1998”) criminalised knowingly or recklessly obtaining, disclosing or procuring personal data without the consent of the data controller, and the sale or offering for sale of that data (section 55).

Section 55 was most often used to prosecute those who had accessed healthcare and financial records without a legitimate reason.

Examples of employees being prosecuted for data protection breach

In recent years there have been several cases of employees being prosecuted for breaching data protection regulations.

Example one:

A former GP practice manager was fined for sending personal data to her own email account without authorisation.

Shamim Sadiq worked at Hollybrook Medical Centre in Littleover, Derby, but was suspended on 3 November 2017 for unrelated matters and dismissed later that month.

Sadiq, of Carlton Road, Derby, admitted unlawfully accessing personal data and received a £120 fine, plus £364 prosecution costs and a victim surcharge of £30.

Example two:

A recruitment consultant emailed the personal data of approximately 100 clients and potential clients to her personal email address, before leaving the organisation. She then used this information to contact those individuals in her new job.

When her ex-employer discovered this, it informed the Information Commissioner’s Office which brought a case against Ms Gray under section 55. Having pleaded guilty to the offence, she received a £200 fine and ordered to pay £214 prosecution costs plus a £30 victim surcharge.

The case, R v Rebecca Gray shows how the legislation can be used by employers faced with a data breach by an employee or ex-employee.

Example three:

An employee of Heart of England NHS Foundation Trust (HEFT) unlawfully accessed the personal records of 14 individuals between February 2017 and August 2017, and received a fine accordingly.

An internal investigation found that the employee had viewed personal data of seven family members and seven children known to her. Although she was authorised to access records on HEFT’s systems, there was no business need for her to do so on these occasions and therefore she broke data protection law.

The employee pleaded guilty to breaching section 55 and section 60 of the Data Protection Act 1998 when she appeared at Birmingham Magistrates’ Court on 15 March 2019. She was ordered to pay a £1,000 fine with a £50 victim surcharge and was ordered to pay £590 towards prosecution costs.

The General Data Protection Regulation and the Data Protection Act 2018

The General Data Protection Regulation (GDPR) is an EU regulation dealing with data protection and privacy, as well as the transfer of personal data outside the EU, which applies to all EU citizens.

It replaced the former European data protection directive which had been in place since 1995. The GDPR came into force automatically in the UK on the 25 May 2018. The requirements of the GDPR were enacted into UK law by the Data Protection Act 2018, which came into force on the same day.

Because GDPR has been enacted into domestic legislation by Parliament, its provisions will continue to apply after Brexit, unless the Data Protection Act 2018 is amended.

GDPR and the Data Protection Act 2018 repeat and build upon section 55 of the 1998 Data Protection Act by adding the offence of knowingly or recklessly retaining personal data (which may have been lawfully obtained) without the consent of the data controller (usually the employer).

Although prosecutions by the Information Commissioner’s Office (ICO) are still relatively rare, it seems likely that it will continue to pursue individuals through the Courts, particularly where a complaint has been made.

The ICO will decide whether or not to bring a GDPR related prosecution in the Courts; it will usually notify the individual concerned in writing of its intention to do so. This would usually be followed by a formal summons to Court for trial.

Employment law issues surrounding data protection breaches

Data controllers are subject to increasingly stringent requirements and, potentially far harsher penalties by the Information Commissioner. For example, they must notify, the Information Commissioner within 72 hours of any data breach concerning personal data held by them.

Consequently, employers are likely to regard a workplace data protection breach more seriously themselves. With litigation and reputational risks increasing, employers may be tempted to discipline their workers more harshly for a breach, and treat them as gross misconduct. This would allow the employer to dismiss without notice or pay in lieu of notice where such a breach is proven.

Preventing an employee data breach

Ideally, employers will now be focusing on prevention rather than cure when it comes to employee data handling. This can be achieved by ensuring regular and adequate training for relevant staff about legislation such as GDPR, and putting in place clear and properly communicated policies.

Employees need to be very clear about their obligations and if in doubt should ask for clarification from managers as to the extent of their responsibilities and for further training, if it is felt this is needed.

Where an employee has particular concerns about the security of their employer’s personal data, they should raise these immediately.

An employee should never send personal data obtained at work to their own or any other third party, other than as expressly authorised by their employer.

If you have any further questions regarding employees being prosecuted for data protection breaches or how the new data protection laws, including GDPR, will impact your organisation, please do not hesitate to get in touch with our team of employment law specialists.

< Older Post Newer Post >

A black and white photo of the big ben clock tower

Labour’s First 100 Days in Employment Law: A review of Progress to Date and What Lies ahead in the next 12 – 24 months

By Louise Maynard • October 28, 2024

The Labour Party came into power in 2024 with a promise of substantial reforms aimed at enhancing worker’s rights, improving work-life balance, and addressing inequalities in the workplace.

A woman is sitting in a chair talking to a man.

Supporting Mental Health in the Workplace: A Legal Framework for Employers

By Yeing-Lang Chong • October 10, 2024

Mental health is an increasingly important issue in the workplace, affecting employees’ wellbeing, productivity, and overall satisfaction. As more employees speak up about their struggles, UK employers must ensure they are providing a supportive environment while adhering to legal responsibilities. The legal framework surrounding mental health in the workplace is clear, but understanding how to apply it practically is key to preventing discrimination and promoting a healthy work culture. With World Mental Health Day on 10th October, now is the perfect time for employers to review their obligations and strategies for supporting mental health in the workplace.

An empty office with a desk and chair in front of a window.

Handling Mental Health-Related Absences: Best Practices and Legal Obligations

By Yeing-Lang Chong • October 9, 2024

Handling Mental Health-Related Absences: Best Practices and Legal Obligations Mental health-related absences are a common challenge for employers, as mental health conditions can lead to prolonged or frequent time off work. Understanding how to handle these absences with compassion while fulfilling legal obligations is crucial for maintaining a supportive work environment and avoiding potential legal pitfalls. As we approach World Mental Health Day on 10th October, this article outlines best practices and key legal responsibilities for UK employers when managing mental health-related absences.

A woman is comforting a man who is sitting at a desk with his head in his hands.

Mental Health Discrimination in the Workplace: UK Legal Protections

By Emily Kidd • October 8, 2024

In the UK, mental health discrimination in the workplace is a growing concern as more employees speak up about their struggles with mental health issues. World Mental Health Day, observed on 10th October, provides an opportunity to reflect on the legal protections in place to safeguard employees from discrimination and to promote mental wellbeing in the workplace. This article will explore the legal framework surrounding mental health discrimination, including how the law defines mental health disabilities, employers' responsibilities, and steps businesses can take to prevent discrimination.

A man is sitting in a chair while two women comfort him.

Reasonable Adjustments for Mental Health: A Guide for UK Employers

By Marianne Wright • October 7, 2024

Supporting employees with mental health conditions is not just an ethical responsibility for UK employers; it’s a legal obligation under the Equality Act 2010. As we approach World Mental Health Day on 10th October, it’s crucial for employers to understand what reasonable adjustments are, how they can be applied to mental health, and the steps they should take to comply with UK law while fostering an inclusive and supportive work environment.

A group of people are sitting around a table with their hands on each other.

How the Equality Act Protects Employees with Mental Health Conditions

By Marianne Wright • October 7, 2024

The Equality Act 2010 is a key piece of legislation in the UK that aims to protect employees from discrimination in the workplace. While much of the focus on this Act has been on physical disabilities, mental health conditions are also covered under its provisions. As we approach World Mental Health Day on 10th October, it’s important to understand how the Equality Act protects employees with mental health conditions, and what employers must do to ensure they meet their legal obligations.

A group of people are clapping their hands in an office.

Workplace Stress and the Law: How Employers Can Support Employee Wellbeing

By Marianne Wright • October 7, 2024

In the modern workplace, stress is often considered an inevitable part of the job. However, when stress becomes overwhelming, it can lead to significant mental health issues such as anxiety, depression, and burnout. In the UK, employers have a legal responsibility to manage workplace stress and support employee wellbeing. As we approach World Mental Health Day on 10th October, this article explores the legal framework around workplace stress and provides guidance on how employers can take steps to create a healthier, more supportive work environment.

A man in a wheelchair is sitting at a table with other people.

Expanding the Scope of Indirect Discrimination Claims: Implications for Employers

By Springhouse Solicitors • October 2, 2024

The British Airways Plc v Rollett & Others ruling underscores the importance of focusing on the actual disadvantages caused by workplace policies. Employers are now obliged to be more vigilant in assessing the broader impacts of their decisions, ensuring equity and fairness for all employees, regardless of whether they possess a protected characteristic under the Equality Act 2010. By proactively addressing these considerations, employers can foster a more inclusive work environment and mitigate the risk of indirect discrimination claims.

A woman is sleeping at a desk in front of a laptop computer.

Shift Work, Burnout, and Your Rights: Navigating the Challenges of Healthcare Employment

By Marianne Wright • August 11, 2024

Shift work is a necessity in the healthcare sector, ensuring round-the-clock care. However, long hours, night shifts, and irregular schedules can take a significant toll on healthcare workers' physical and mental health, increasing the risk of burnout. This article outlines your legal rights regarding rest breaks, the impact of shift work, and your employer's obligations to minimise the risks.

Mental Health at Work: Legal Obligations and Best Practices for UK Employers

By Yeing-Lang Chong • August 11, 2024

Mental health conditions are becoming increasingly prevalent in UK workplaces, with far-reaching consequences for employees, businesses, and society as a whole. Employers have a duty of care towards their employees' mental wellbeing, and certain mental health conditions may also be recognised as disabilities under the Equality Act 2010.