Misuse of company data – new ICO prosecution guidelines

We all know how these days data is king.  We also know the problems that can be caused when data gets lost or misused – think of the storm that erupted when TalkTalk’s systems were hacked a couple of years ago.  All businesses need to treat client information very seriously because they have obligations under the Data Protection Act to ensure that customer data is not misused.  If it is there can be very serious consequences for the business, as the Information Commissioner’s Office  (ICO) may well prosecute.

New ICO prosecution guidelines

The ICO has recently released prosecution guidelines which give some indication of how the ICO will deal with cases where customer data has been misused.  That can be accessed at https://ico.org.uk/media/about-the-ico/policies-and-procedures/1882/ico-prosecution-policy-statement.pdf .

It is of particular significance for employers following a recent case where a former employee of Lex Autolease Limited downloaded records of 551 Lex Autolease customers who had been involved in road traffic accidents. He emailed them to his own private email address, which he subsequently then sold on to a third party as personal leads.

That employee was prosecuted and fined under Section 55 of the Data Protection Act 1998.  He was fined £500.00 and ordered to pay prosecution costs and the victims’ surcharge.  Although the ex-employee took the pain on that occasion, employers should not be complacent as they can be prosecuted too.

Will the ICO prosecute a person or a company?

In considering whether to prosecute a person or company, the ICO will consider whether there is sufficient evidence to proceed and whether a prosecution would be in the public interest. This is a similar test to the ones that Crown Prosecution Service uses.  The prosecution will also be considered in line with the ICO’s regulatory principles.  Where a decision is made to prosecute the defendants will be contacted and offered an opportunity to make representations.

The ICO guidelines suggest that the prosecution will be sought where

  • the accused has breached the law for financial gain
  • has abused the position of trust
  • has systematically obtained or attempted to obtain personal data
  • there are multiple individual complainants
  • any previous convictions or cautions or prior warnings have been ignored.

Furthermore, if there are grounds for believing the offence will be repeated or continued that will suggest that the prosecution is the way forward.

A further consideration, particularly for either employers or employees who seek to make money from selling personal leads, is that the Proceeds of Crime Act can be applied to recover monies that may have been gained from the selling of customer information.  This is probably only likely in cases where there are substantial amounts of money involved but it should not be overlooked that it is a power that is open to the ICO.

Limited companies

Limited companies also need to bear in mind that the prosecution could be brought against a person in a position of responsibility, such as a director or manager where the offence was committed with their consent, connivance or negligence.  In those cases consideration will be given to the status of the person involved and their position within the structure of the company.  It is quite possible that prosecution could be brought against the company and also one or more of its senior employees.

Robust internet usage and data protection policy in place

All responsible companies should have a robust internet usage and data protection policy in place.  Further, they should make sure that such policies and adhered to so that if a rogue employee tries to gain advantage from selling customer data it will be able to show that it did all it could to try and prevent the theft.   This will reduce the risk of successful prosecutions or civil claims based on the company’s vicarious liability for the acts of its rogue employee. It may not always be possible to prevent a rogue employee from exploiting company data, at least it will show that the company takes a responsible attitude towards data protection.