Jordans has teamed up with Barrister Allan Roberts from Guildhall Chambers to create this helpful tool which enables users to simply and quickly estimate the likely pension loss for claimants in Employment Tribunal cases.
Try out this free service today!
The Information Commissioner's Office (ICO) has prosecuted an employee who transferred his employer's clients' data to his personal email address before leaving and starting a new job.
Mr Lloyd worked at a waste management company and emailed the details of 957 clients to his personal account before leaving to start a new job at a rival company. The details contained personal information, contact details of customers, purchase history and commercially sensitive information.
The ICO prosecuted Mr Lloyd under s 55 of the Data Protection Act, which states that a person must not knowingly or recklessly obtain or disclose personal data, or the information contained in personal data, without the consent of the data controller.
He was fined £300 and ordered to pay £405.98 costs and a £30 victim surcharge.
Most employers will be aware that an employee who takes personal data of clients and customers may be breaching the terms of their employment contract (either express terms of confidentiality) or the implied duty of fidelity). Many may not know that such an employee could also be committing a criminal offence.
While a prosecution can only be brought by the ICO or with the consent of the Director of Public Prosecutions (DPP), a referral to the ICO (or seeking consent of the DPP) may act as a serious deterrent to the exploitation of such data. It is therefore something for an employer to consider.
A note of caution, however: employers must bear in mind that they too may face liability if it is found that they have not acted appropriately to protect sensitive personal data. A referral to the ICO may inadvertently place them under scrutiny - and with fines of up to £500,000, this could be very unwanted scrutiny indeed.
To guard against this, employers are advised to implement a policy for dealing with information security breaches, which include:
a recovery plan;
procedures for damage limitation;
details on assessing the seriousness of the breach and the associated risks;
information on who should be notified (such as the individuals concerned, the ICO, other regulatory bodies, the media and other third parties such as the police) and the procedure for notifying them; and
the procedure for investigating the causes of the breach and the effectiveness of the response.
It is also important to bear in mind that, once a matter has been referred to the ICO, the employer loses control of the process and cannot subsequently agree with the employee to withdraw the referral.
The actions of Mr Lloyd are also a reminder of the importance of properly drafted confidentiality and restrictive covenant provisions in employment contracts. Such provisions may discourage employees from seeking to use confidential information and clients' details in their future endeavours. They may also provide an employer with the opportunity to take action against an employee to prevent the exploitation of such information. This might include applying for an injunction to prevent the stolen data from being utilised.
Whatever steps an employer considers taking when faced with an employee copying, downloading, removing or retaining client or customer data without consent, taking action quickly is essential. When it comes to data breaches, prevention is definitely better than cure.