This is also a helpful reminder as part of the General Data Protection Regulation (GDPR) which applies from 25 May 2018.
The Case of Mr Morar
Nilesh Morar, a former employee in the Adult Social Care Department of Leicester City Council, has been prosecuted under Section 55 of the Data Protection Act 1998 (DPA) for unlawfully obtaining personal data.
Mr Morar sent the sensitive personal information of 349 service users to his personal email address. This included financial as well as medical information.
Leicester City Council uncovered the breach after Mr Morar's employment had terminated, and reported the matter to the Information Commissioner's Office (ICO), which took action against him.
Mr Morar pleaded guilty. He was fined £160, ordered to pay £364.08 prosecution costs and a £20 victim surcharge.
It is reported that Mr Morar had received training in data protection during the course of his employment and the Council had in place the correct policies and procedures.
Points to Note
Information security has been a high risk area of data protection compliance for a number of years now under the DPA. The majority of fines served by the ICO have been in relation to data breaches.
Most organisations are not currently required to report data breaches to the ICO. However, the GDPR introduces a requirement to report certain data breaches to the ICO within a strict timeframe and to notify affected individuals of breaches which present high risks.
- In addition, the GDPR very much builds on the DPA requirement to have both technical and organisational measures to keep personal data secure. Technical measures include ensuring adequate network security and using encryption where appropriate whilst organisational measures include policies and training for staff.
- We recommend that employers update their contracts, policies and training to provide robust guidance for staff on information security. In light of the requirement to report certain breaches to the ICO, staff should be told to report any suspected breach to a senior member of staff immediately and understand the consequences this may have on them personally if they are found to have unlawfully obtained personal data.
- Whilst we are not aware of enforcement action being taken against Leicester City Council on this occasion, employers should be aware that they may be subject to enforcement action (including fines) due to the acts of their employees, particularly where they are found to have insufficient technical and/or organisational measures in place. Once the GDPR applies the cap on fines that can be issued by the ICO will increase vastly to £17 million.
Steps to Take
- Have data protection policies and training for staff which are effective. Policies should be practical, easy to read, relevant to staff and regularly revised. Training should back up your policies and preferably include an element of testing in order to demonstrate compliance (another requirement of the GDPR).
- Update employment documentation to inform staff of the requirement to report certain breaches and the potential personal consequences if they are found to have unlawfully obtained personal data.
- To ensure that data breaches are dealt with effectively, it is best practice to have a group of senior staff who are responsible for dealing with different aspects of a data breach, eg HR, technical and reputation management. You should have a data breach policy and procedure in place. Ensure staff understand the importance of telling a senior member of staff immediately if they suspect a data breach.
For further information or advice, please contact Jenny Marley, in our Employment Law team, on 0117 314 5378, or Claire Hall, in our Data Protection team, on 0117 314 5279.