The Information Commissioner’s Office (ICO) is warning workers after a charity employee is prosecuted for data protection offences.
Charity worker Robert Morrissey, 63 had sent 11 emails from his work email account, which contained the sensitive personal data of 183 people, three of whom were children. The personal data included full names, dates of birth, telephone numbers and medical information. The defendant had done so without the knowledge of the data controller, his employer, the Rochdale Connections Trust. Further investigation showed that he had sent a similar database to his personal account on 14 June 2016.
Morrisey, of Milnrow, Rochdale, appeared at Preston Crown Court and admitted unlawfully obtaining personal data in breach of Section 55 of the Data Protection Act 1998 (DPA). He was consequently given a conditional discharge for two years and was also ordered to pay prosecution costs of £1,845.25, as well as a victim surcharge of £15.
Steve Eckersley, Head of Enforcement at the Information Commissioner’s Office said:
“People whose jobs give them access to this type of information need to realise that just because they can access it, that doesn’t mean they should. They need to have a valid legal reason for doing so…especially when it is sensitive personal data.”
People working with personal information have thus been warned they must obey privacy laws in order to avoid prosecution and large fines which are set to become even more substantial under the forthcoming General Data Protection Regulation (GDPR).
Like the DPA, the GDPR includes the principle that personal data must be protected against unauthorised or unlawful processing as has occurred in the above case. However, the GDPR has introduced a new principle of accountability and employers now have a positive obligation to evidence their compliance with the data protection principles. As part of this exercise, employers should make time to review their contracts of employment and employee data protection policies and practices to get themselves 'GDPR ready'.
David Gibson, Partner in the Employment Team and Data Protection Specialist at Short, Richardson & Forth explains:
“It is imperative that employers take proactive steps to ensure that not only are there policies and procedures in place, but that a workplace culture that promotes best practice is entrenched. Therefore, training of all staff with regular reviews and spot checks to make sure that all workers understand and are compliant with regard to not misusing information is key. Issues in relation to breaches must be fully investigated, a procedure followed and relevant sanctions administered.”
For advice on preparing for the GDPR and more information on our training packages, please do not hesitate to contact David Gibson at firstname.lastname@example.org or Andrew Swan – Head of Regulation and Financial Crime at email@example.com or at 0191 232 0283.