As an organisation, you will generally be satisfied that you understand your obligations under the Data Protection Act 1998 (“DPA”), particularly given that most QCS clients will be handling what is defined as “sensitive personal data” under section 2 of the DPA, such as medical records, racial or ethnic origin information and data on physical or mental health conditions. Organisations will, therefore, ensure that they have taken sufficient steps to ensure that this sensitive personal data, along with any other data controlled and/or processed by the organisation such as data relating to its employees, is secure and processed appropriately and that the organisation is registered with the Information Commissioners Office.
But what about your employees?
Do they understand their obligations under the DPA and have appropriate protections been put in place to avoid them misusing personal data? With the General Data Protection Regulation and a new Data Protection Act to implement it on the horizon, it has never been more important to carry out a review of the organisation’s protections and to ensure that everyone within the organisation knows their obligations and their potential liabilities. This has been thrown into sharp relief by the recent case involving a former employee of Leicester City Council.
Nilesh Morar was employed in Leicester City Council’s Adult Social Care department until he chose to leave in 2016 in order to set up his own business. Following an investigation when the Council became aware of Mr Morar’s new business venture, it was discovered that Mr Morar had sent 34 emails to a private email account in February 2016 prior to leaving his role at the Council. These emails contained the personal data of 349 individuals who were service users of the Council’s Adult Social Care Department, including sensitive personal data such as medical conditions, details of care, financial details and records of debt. Mr Morar did not have the consent of the Council or of the service users to take this data. This is a criminal offence under section 55 DPA.
Following the ICO’s involvement, Mr Morar was prosecuted and, at Nuneaton Magistrates Court, was required to pay a fine of £160.00, £364.08 prosecution costs and a £20.00 victim surcharge. Employees should be left in no doubt as to the ICO’s approach when matters such as these are reported to them. Steve Eckersley, Head of Enforcement for the ICO said:
“People’s personal data is protected by law and employees should not be helping themselves to information if they decide to set up a new business or move to a new position. Employees need to understand the consequences of taking people’s personal information with them when they leave a job role. It’s illegal and when you’re caught, you will be prosecuted.”
It is therefore essential that employees know the obligations that they are personally subject to under the DPA. Organisations should look to introduce training for those with access to personal data and have a clear Data Protection Policy outlining their duties and obligations.
