An ex-employee of Leicester City Council, has recently been prosecuted for unlawfully obtaining personal data.
Mr Nilesh Morar took the details of service users of Leicester City Council’s Adult Social Care Department without his employer’s consent, which is contrary to section 55 of the current Data Protection Act.
The Council became aware that after leaving the Council he had set up his own business. The defendant then pleaded guilty to the offence and was fined £160, ordered to pay £364.08 prosecution costs and a £20 victim surcharge.
It was later discovered that the personal information of 349 individuals were sent to his personal email address including sensitive personal data in relation to service users including medical conditions, details of care and financial details and records of debt.
Head of Information Commissioner’s Office (ICO) Enforcement Steve Eckersley said:
“People’s personal data is protected by law and employees should not be helping themselves to information if they decide to set up a new business or move to a new position.
Employees need to understand the consequences of taking people’s personal information with them when they leave a job role. It’s illegal and when you’re caught, you will be prosecuted.”
The General Data Protection Regulation 2016 (GDPR)
The GDPR comes into force in May 2018, this will see a major overhaul of the data protection rules and will have a significant impact on organisations such as Councils, who deal with data in any form.
Whilst the GDPR is reflective of current data protection laws, it is more onerous and gives the IVO greater enforcement powers. It also includes more rights for individuals and provisions which promote accountability and governance, with a view to minimising the occurrence of breaches.
Partner Andrew Swan, Head of the Regulatory Team at Short, Richardson & Forth, states;
“I deal with many clients subject to enforcement action by the ICO and prosecution under data protection laws. I often see a lack of understanding of the rules, but this must change under the GDPR.”
Employers should make sure that the contracts of employment and/or policies that they issue to staff cover data protection issues, misuse of confidential information and post termination restrictions. It is also imperative that employers take proactive steps to ensure that not only are there policies and procedures in place, but that a workplace culture that promotes best practice is entrenched to avoid prosecution like this ex-employee of Leicester City Council. Training of all staff with regular reviews and monitoring of employees is key to ensure compliance with the new GDPR.
At Short Richardson & Forth, we offer a unique service and work with your senior personnel and staff to impart our extensive knowledge of the GDPR and amend policies and procedures to ensure all are compliant.
For more information on our training packages please do not hesitate to contact Andrew Swan, David Gibson or Sheila Ramshaw