Employee misuse of Company data - another weapon in the employer's armoury

Employees misusing confidential data, particularly in readiness for a move to a competitor, is sadly an all too common occurrence. While employers are likely to have express clauses on confidentiality in their employment contracts and such action by employees is likely to amount to gross misconduct, employees who are leaving may simply be blasé about such ramifications, particularly if they have the support of their new employer. We often advise employers that are writing to employees (and their new employers) about such breaches to include a threat to report the employee (and their new employer) to the Information Commission for breaching data protection legislation – their misuse of the information will amount to unlawful processing given that there will be no consent from the data controller for the data to be used in this way. However, even if such a threat is included it is rarely acted upon and, historically, has not caused the employee (or their new employer) much concern.

That may well be about to change. Last month the Information Commissioner’s Officer prosecuted an employee who had misappropriated information about his employer’s clients in readiness for a move to a new job with a competitor. The data was sent by the employee to his personal email address. Sound familiar? The information amounted to personal data and the employee’s actions were found to have breached section 55 of the Data Protection Act 1998. This provides that a person must not knowingly or recklessly, without the consent of the data controller (in this case his current employer), (i) obtain or disclose personal data or the information contained in personal data or (ii) procure the disclosure to another person of the information contained in personal data. Breach amounts to a criminal offence and, although in this case the fine was relatively minor (just under £1,000 in terms of the combined fine, victim surcharge and costs), the risk of a criminal record may be one the employee is not prepared to take. Of course, if the new employer is found to have consented or connived in, or been negligent in respect of, the breach, they too will have committed an offence.

The ICO’s approach in this case was not a one-off. In April 2016 a similarly robust approach was taken by the ICO, following which it warned that "anyone who tries to unlawfully obtain, disclose or sell personal data should expect to see themselves hauled before the courts". If the ICO’s recent call for custodial penalties for DPA breaches is implemented - a power to impose such sentences was enacted but has not yet been activated by the Secretary of State - we can expect to see an even tougher stance being taken which will further strengthen the employer’s position.

For those of you in financial services firms, the risk to the employee is even greater. Such an offence is likely to amount to a conduct breach as it goes to integrity, and for certified persons, it will go to fitness and propriety. Again, the threat of reporting such a matter to the Regulators may be enough to dissuade an employee from such actions.

So what should you be doing? Build these matters into template leavers letters, making it clear to employees that if they take confidential data from the company which contains personal data, reports will be made to the ICO (and, for financial services firms, to the Regulators). This could also be built into relevant policies and training so that employees are clear from the start about what may happen if they breach their obligations.