Criminal offences under the Data Protection Act: lessons for employers
A car rental manager has pleaded guilty to unlawfully obtaining personal data as a result of accessing over 200 customer records. The ICO press release points out that the case is a reminder to employees that “Just because your job may give you access to other people’s personal information, it doesn’t mean you have the legal right to look at it whenever you like”.
The employee had worked for Enterprise Rent-A-Car, who were alerted to a potential concern after the employee visited his workplace outside scheduled hours on a Sunday. The employee was dismissed for gross misconduct following an internal investigation in which he confirmed that he had accessed records which he had no reason to access. He pleaded guilty to the offence of unlawfully obtaining personal data under s170 of the Data Protection Act 2018 and was fined £265 plus costs and a victim surcharge.
No additional evidence was found to show Mr Saleem had sold the data or made any financial gain; which is why he was charged with unlawfully obtaining the data.
This case is a good reminder to employers to:
- Make clear in your data protection policy that employees should not be accessing personal data that is not relevant to their role. This will enable you to take swift action against an employee where appropriate;
- In advance of any data issue, ensure you have adequate internal or external IT support lined up to assist in a crisis moment such as an urgent investigation or a cyber-attack;
- If you have a concern that an employee is accessing personal data that they should not be accessing, you should:
- Act swiftly in seeking to mitigate the damage to customers, employees or other data subjects;
- Consider both the civil and criminal actions that could be relevant against the employee;
- Consider what action you should take to mitigate the damage caused;
- Remember that this is likely to be a data breach under the UK GDPR, so consider your reporting obligations to the ICO or the affected data subjects.
Should you need any assistance with these matters, please contact the author or your usual Mills & Reeve contact.
Our content explained
Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.