MISUSE OF PERSONAL AND SENSITIVE INFORMATION
Every employer will have commercial and sensitive data that they would wish to remain confidential and not fall into the hands of competitors. However, problems can arise when employees leave employment to work for a competitor taking commercially sensitive information (client lists / pricing structures) with them.
Dependent upon the contract of employment and post termination restrictions (restrictive covenants), an employer may be able to obtain an injunction and / or seek damages for any loss arising from the breach of the confidentiality clause or restrictive covenants etc. But this can be a costly and timely process.
A recent criminal case is a good reminder that an employee who takes sensitive information may also face criminal sanctions under the data protection legislation.
A paralegal employed in a firm of solicitors, was prosecuted for illegally taking sensitive information of over 100 people before leaving to work for a rival firm. The contact information was contained in 6 emails sent in the weeks prior to him leaving, which he hoped to use in his new employment. The information contained template documents, workload lists, file notes. They contained sensitive personal data relating to individuals involved in ongoing legal proceedings, which he took without the permission of his former employer.
Unlawfully obtaining or accessing personal data is a criminal offence under section 55 of the Data Protection Act 1998. The offence is punishable by way of ‘fine only’ - up to £5,000 in a Magistrates Court or an unlimited fine in a Crown Court.
In the Magistrates court, the paralegal was fined £300, ordered to pay a £30 victim surcharge and £438.63 prosecution costs.
The Information Commissioner’s Office continues to call for more effective deterrent sentences, including the threat of prison, to be available to the courts to stop the unlawful use (or misuse) of personal information.
Employers will inevitably process personal data and they and their employees, with this in their job role, need to know that anyone who processes personal information must comply with the eight principles of the Data Protection Act. These make sure that personal information is:
Fairly and lawfully processed
Processed for limited purposes
Adequate, relevant and not excessive
Accurate and up to date
Not kept for longer than is necessary
Processed in line with employee's rights
Not transferred to other countries without adequate protection
If you need any help with this or any other matter, do not hesitate to contact us on 08456 446 006.