Skip to content

ICO warns people to think before taking client records to a new company

25 July 2016

​The ICO has recently issued a warning (Mark Lloyd – ICO Enforcement Notice) to employees that taking client records which contain personal information is a criminal offence, following the prosecution of an employee who took client records with him when joining a competitor company. This case demonstrates that there may be criminal consequences for an employee taking any confidential and/or customer information, in addition to any consequences arising from a breach of their contractual employment obligations or from a breach of confidence. Whilst this may act as a deterrent to employees, it is still important for employers to put in place their own robust protections against such breaches and take action to stop the use of any confidential information stolen.

Mark Lloyd was a waste disposal employee, at Acorn Waste Management Ltd (the Company), who emailed information regarding 957 of the Company’s clients to his personal email account before leaving to take up a role at a rival company. The information included contact details, customer purchase history and commercially sensitive information which was deemed to constitute personal information under the Data Protection Act 1998 (the DPA). Mr Lloyd pleaded guilty to the criminal offence of unlawfully obtaining data under s55 DPA and was fined GBP 300, ordered to pay a victim surcharge of GBP 30 and GBP 405.98 costs.

Following the prosecution, the Information Commissioner’s Office has publicly reinforced the message that “taking client records that contain personal information to a new job, without permission, is a criminal offence” and has warned that employees should “be aware that documents containing personal data they have produced or worked on belong to their employer and are not theirs to take with them when they leave.”

Contractual terms

Employees who have access to commercially sensitive information should be employed on strict contractual terms, which may include the following protections:

  • garden leave provisions and post-termination restrictions, where employees are prohibited from joining competitors or dealing with certain customers for a period of time after termination of employment;
  • express confidentiality provisions applying during and after termination of employment;
  • obligations to return all company property and information on termination of employment, or earlier by request; and
  • intellectual property provisions.

Employee monitoring

In light of advances in technology and the resulting and increasing threats to cyber security, it is also essential for employers to consider reducing data security risks more generally by monitoring employees’ emails, instant messages and internet use within the parameters permitted under the relevant law. For instance, in the UK monitoring is allowed for a range of specific business reasons including compliance with regulation or company policy, preventing a crime and to investigate unauthorised use of company IT systems and must be carried out in accordance with the ICO’s Employment Practices Code.

Taking action

Once an employer is aware that confidential information has been taken by an employee, they may seek to enforce any post-termination restrictions in the employee’s contract and take steps to obtain an injunction. For instance, the employer may apply for a springboard injunction to prevent the employee from taking unfair advantage or benefitting from the use of the stolen information and/or from joining the competitor company. Alternatively, or if the employer is not successful in obtaining an injunction, it may seek damages from the employee for breach of the post-termination restrictions.

Employers may also consider putting in place an internal contingency plan to recover compromised company data in the event of a breach. This should involve teams from across the company including IT, legal, HR, communications, security and compliance and potential action could (depending on the nature of the breach) even include private investigators or international arrest warrants

COMMENT

This case demonstrates that the consequences of an employee taking any confidential and/or customer information can be criminal, in addition to any other consequences arising from a breach of their employment obligations. Whilst the threat of this criminal offence may be a deterrent, employers should bolster the position with robust contractual protections that apply throughout the employment relationship.  These protections should not only seek to prevent confidential information being stolen in the first place, but also from being used subsequently.

Further information

This case summary is part of the Allen & Overy Litigation and Dispute Resolution Review, a monthly publication.  For more information please contact Sarah Garvey sarah.garvey@allenovery.com, or tel +44 20 3088 3710.​