How Can You Protect Your Business' Data When an Employee Leaves?
Another recent prosecution by the Information Commissioner's Office (ICO) of a former employee highlights the need for employers to ensure they are taking appropriate measures when it comes to the protection of data.
The Facts
Ms Gray worked for a recruitment agency and emailed the personal data of approximately 100 clients and prospective clients to her personal email address before leaving to start a role at a rival recruitment company. Ms Gray subsequently used the data to contact those clients at her new job.
The ICO prosecuted Ms Gray for the offence of unlawfully obtaining data under section 55 of the Data Protection Act 1998. She pleaded guilty to the offence and was fined fined £200, ordered to pay costs of £214 and a victim surcharge of £30. The details of the prosecution, including Ms Grey's name, were also placed on the ICO's website.
Best Practice
Protecting data from theft is a constant issue for businesses, particularly those with large client databases such as those in the recruitment sector. As such, businesses must ensure that appropriate measures have been implemented to guard against any data breaches as far as practicable. If adequate measures are not in place and a business does not act appropriately in circumstances where there has been an data breach, the ICO has the power to impose fines of up to £500,000.
Whilst the possibility of prosecution by the ICO is a deterrent for employees who are considering taking confidential information to a new employer, it is still vitally important for organisations of all sorts to protect their legitimate business interests with a comprehensive and enforceable set of restrictive covenants in their contracts of employment.
Employers should also consider providing appropriate training on data protection issues, with a particular focus on the consequences and penalties that may be imposed for any breach.
For the belt and braces approach, employers could also include a contractual obligation on employees to sign a declaration at the end of their employment that they have not taken and will not take any personal data relating to the employer's clients or prospective clients.
In June last year, we reported on a case with very similar facts and outlined a number of additional best practice points.