Welcome to Stallard Kane Associates

Departing employee convicted of taking client records before joining rival firm

It has never been easier for employees leaving one job in order to start another – often in a rival organisation – to steal important data, such as client lists, order histories and trade secrets. Just a couple of clicks on the mouse and valuable information can be sent to a personal computer and used for the benefit of the new employer.

Mark Lloyd from Shropshire did just that. Before leaving his job at Acorn Waste Management Ltd, he sent the details of 957 customers, as well as purchase histories and other material, to his personal computer.

Criminal offence

The Information Commissioner’s Office (ICO) prosecuted Lloyd under section 55 of the Data Protection Act 1998 (DPA). This section covers unlawfully obtaining, disclosing or procuring personal data. Lloyd pleaded guilty to the offence at Telford Magistrates’ Court. He was fined £300 and ordered to pay a victim surcharge of £30 and £405.98 costs.

Following the prosecution, the ICO reminded employees that “taking client records that contain personal information to a new job, without permission, is a criminal offence”, adding that employees should “be aware that documents containing personal data they have produced or worked on belong to their employer and are not theirs to take with them when they leave.”

The criminal courts can currently impose an unlimited fine on the individual who has committed the offence. However, the ICO does not consider this to be enough of a deterrent and is calling for more effective sentences, including the threat of prison, to be available.

Civil remedies

The successful prosecution of Mark Lloyd is likely to be welcomed by employers, as action taken by the ICO under section 55 of the DPA would not affect their own right to seek a civil remedy. The normal procedure, provided action is taken speedily, would be to apply for an injunction, coupled with a claim for damages. This can be a daunting, time-consuming and costly prospect for businesses, and therefore making a complaint to the ICO would be an inviting alternative. The prospect of a criminal prosecution resulting in conviction and a criminal record might also cause the errant employee to make immediate restitution, which would prevent any personal data and business secrets from being used inappropriately.

Civil sanctions

Individuals within businesses can complain to the ICO if they believe that their personal data has been misused in any way. The ICO can impose fines of up to £500,000 on businesses that breach the DPA – a separate matter from the unlimited fine applicable in the criminal courts. Individuals are also entitled to claim compensation from data controllers for damage caused by any breach of the DPA. Compensation can be awarded in cases where the individual suffers distress as a result of the data breach.

Internal measures

The Lloyd case acts as a reminder to organisations of the importance of training staff on the provisions of the DPA. Employers who process personal information are required to comply with the eight principles of the Data Protection Act, which provide that personal information must be:

  1. Fairly and lawfully processed
  2. Processed for limited purposes
  3. Adequate, relevant and not excessive
  4. Accurate and up to date
  5. Not kept for longer than is necessary
  6. Processed in line with the rights of the data subject
  7. Processed safely and securely
  8. Not transferred to other countries without adequate protection

The seventh data protection principle, which requires employers to process personal data safely and securely in order to prevent unauthorised or unlawful processing, extends to requiring the employer to ensure the reliability of its employees.

Employees who have access to commercially sensitive information should be employed on contractual terms that include express confidentiality provisions applying during and after termination of employment, restrictive covenants and obligations to return all company property, and information on termination of their employment with the company.

This case demonstrates that employees who unlawfully take any confidential or customer information may face criminal prosecution, in addition to any civil liability arising from a breach of their employment obligations. While the threat of criminal prosecution may be a deterrent, employers should take steps to prevent personal data being compromised by ensuring they have robust security measures supported by appropriate policies, procedures and staff training.

 

Added: 21-09-2016
Back

Breaking News

Head Office:
First Floor Offices, 11-23 Market St.
Gainsborough, Lincolnshire
DN21 2BL

Tel: 01427 678660
 

HR and Accounts:
26/26a Hickman Street
Gainsborough, Lincolnshire
DN21 2DZ

Tel: 01427 678660
 

Hull Office:
West 1, West Dock Street
Hull HU3 4HH

Tel: 01482 534 348
 

Manchester Office:
Hyde Park House, Cartwright Street
Newton, Hyde, Cheshire SK14 4EH

Tel: 0161 367 1214
 

Birmingham Office:
2450 Regents Court The Crescent
Birmingham Business Park Solihull B37 7YE

Tel: 0121 69 59 290
 

London Office:
4th Floor, 86-90 Paul Street
London EC2A 4NE

Tel: 0207 111 0958