“(Section 55) Shades of Gray” - using the Data Protection Act to prevent employees misusing or taking data
27 February 2017
A recent case has highlighted a potentially helpful mechanism in the Data Protection Act 1998 (“DPA”) for employers to use if they are concerned about employees taking data when they leave.
Under section 55 of the DPA, a person who obtains personal data, knowingly or recklessly, without the consent of the data controller, is potentially guilty of a criminal offence. Although prosecutions for such offences are rare, the case of R v Rebecca Gray illustrates how section 55 can be used by employers faced with a data breach.
The case concerned a recruitment consultant who, before leaving for a new job, emailed the personal data of approximately 100 clients and potential clients to her personal email address. She then used this information to contact those individuals in her new job.
When her ex-employer discovered this, it informed the Information Commissioner’s Office (“ICO”), which brought a charge against Ms Gray under section 55 of the DPA. Having pleaded guilty to the offence, she was fined £200 and ordered to pay £214 prosecution costs plus a £30 victim surcharge.
Ensuring employees are aware of the existence of section 55 can be useful in a variety of situations, particularly where someone’s employment is being or has been terminated. Departing employees may wish to obtain personal data in order to prepare a case, communicate with clients and potential clients, or access confidential information which may be useful in a new role. In some cases, such as this latest one, the employee may not be aware that doing so is potentially against the law. In other cases, unscrupulous employees will know they are breaching terms in their contracts of employment but few are likely to realise they may be committing a criminal offence.
Informing employees that taking this type of information may be a criminal offence can be an effective preventative measure, ensuring they abide by their contractual restrictions and duties of good faith. If an employee has already taken data, putting them on notice that an offence may have been committed could lead to it being returned. Employers should have policies in place, together with effective procedures for on-boarding new recruits and exiting leavers, which deal with these issues.
This may be particularly useful in regulated professions, for example financial and professional services. Although the penalties for crimes committed under section 55 are low (normally a three-figure fine at most), the potential threat of a criminal record is of far greater preventative value. Employees will be keen not to have to declare a conviction under section 55 of the DPA, or for any offence to appear on a Disclosure and Barring Service check. In addition, regulatory bodies such as the Financial Conduct Authority (“FCA”) or Solicitors Regulation Authority (“SRA”) may need to be informed of any wrongdoing, even if the employee has not been convicted of a crime.
Employers should be mindful, however, of their own reporting obligations in this situation. They may need to report the breach voluntarily to the ICO and should consider the reporting obligations for other professional or regulatory bodies such as the FCA or SRA. (Similar obligations will potentially apply under the mandatory provisions of the General Data Protection Regulation after April 2018.) The employer should therefore carefully consider how and when to accuse an individual of breaching section 55, as this could set in motion a train of events whereby it is obliged to report to a regulatory organisation.