The protection of client and candidate data is a key issue for staffing businesses. However, it is common for recruitment consultants to leave their employment and either join a competitor or set up on their own and take their previous employer's client and candidate data with them.
The recent prosecution by the Information Commissioner's Office (ICO) of an employee who transferred his employer's clients' data to his personal email address before leaving and starting a new job shows the ICO is taking the issue seriously and serves as a warning to consultants who may be considering their next career move.
Mr Lloyd worked at a waste management company and emailed the details of 957 clients to his personal account before leaving to start a new job at a rival company. The details contained personal information, contact details of customers, purchase history and commercially sensitive information.
The ICO prosecuted Mr Lloyd under s.55 of the Data Protection Act, which states that a person must not knowingly or recklessly obtain or disclose personal data or the information contained in personal data, without the consent of the data controller.
He was fined £300 and ordered to pay £405.98 costs and a £30 victim surcharge.
Most staffing businesses will be aware that a consultant who takes the personal data of clients and candidates without consent may be breaching the terms of their employment contract (either express terms of confidentiality or the implied duty of fidelity). Many may not know that the consultant could also be committing a criminal offence.
Whilst a prosecution can only be brought by the ICO or with the consent of the Director of Public Prosecutions (DPP), a referral to the ICO (or seeking consent of the DPP) may act as a serious deterrent to the exploitation of such data. It is therefore something for staffing businesses to consider.
A note of caution however: staffing businesses must bear in mind that they too may face liability if it is found that they have not acted appropriately to protect sensitive personal data. A referral to the ICO may inadvertently place them under scrutiny - and with fines of up to £500,000, this could be very unwanted scrutiny indeed.
To guard against this, staffing businesses are advised to implement a policy for dealing with information security breaches, which includes:
It is also important to bear in mind that once a matter has been referred to the ICO, the staffing business loses control of the process and cannot subsequently agree with the consultant to withdraw the referral.
The actions of Mr Lloyd are also a reminder of the importance of properly drafted confidentiality and restrictive covenant provisions in employment contracts. Such provisions may discourage consultants from seeking to use confidential information and clients' details in their future endeavours. They may also provide the staffing business with the opportunity to take action against a consultant to prevent the exploitation of such information. This might include applying for an injunction to prevent the stolen data from being utilised.
Whatever steps the staffing business considers taking when faced with a consultant copying, downloading, removing or retaining client or customer data without consent, taking action quickly is essential. When it comes to data breaches, prevention is definitely better than cure.