Data Protection Offence

February 03, 2017


Data Protection Offence

The facts are not unusual.  The outcome is salutary.

One Rebecca Gray was working for a recruitment company in Widnes.  She decided to leave and join another recruitment agency.  Before leaving, she accessed her current employer’s database and emailed the details of about 100 potential workers to her home address with a view to using that information in her new job.  She then proceeded to email those workers to offer her new employer’s services.

The first reaction of an employer where it is discovered that an employee has unlawfully taken its property (in the form of database details) is normally to dust down the contract of employment and check that restraints were expressly in place.  If not, then ask whether implied terms would give a cause of action.

But all this implies a civil action.  The wronged employer would probably write a letter to the errant former staff member (and the new employer) demanding that she gives undertakings to desist, to deliver up a list of all people contacted, and to compensate the wronged employer for all losses both actual and reputational, and to compensate for all costs incurred.

The problem with all this is that it probably not that cost effective.  The new employer and the errant former employee will probably agree not to use the ill-gotten data and return everything that had been abstracted; but actually proving loss and getting money out of someone is never easy.  It is one thing if the case concerns highly paid City traders; it is quite another if it concerns the average worker in a small industry.

Although we don’t know the full facts (they haven’t been reported) this particular case took on a new twist.

In general only the Information Commissioners Office (ICO) can bring criminal prosecutions under the Data Protection Act.  This is what happened here.  One of the offences that can be committed is:

S55 Data Protection Act “Unlawful obtaining, disclosing, or procuring the disclosure of personal data without the data controller's consent.” 

In this case, the data controller was the wronged employer.

Presumably that employer or their solicitors contacted the ICO and a prosecution ensued.

Ms Gray pleaded guilty to the offence under section 55 of the Data Protection Act, and was fined £200, ordered to pay £214 prosecution costs and a £30 victim surcharge.  Ms Gray will have ended up with a criminal record.

All this is not to suggest that appropriate contractual provisions should be ignored; far from it.  But it does point a way for those whose data has been abstracted, even if not subsequently used, to get some retribution and justice.

For help and advice on contractual and employment matters, please call Julian Freeland on 01865 244661

posted by Julian Freeland | February 03 2017