Thoroughly knowledgeable,
very pragmatic and
quick-thinking

Chambers Guide

Blog

Keep up to date with our blog articles, latest news and industry developments. See below for the latest posts or use the category listings to hone your search for stories of interest.

Criminal liability for data protection breach by departing employee

An ICO prosecution against an employee who emailed herself a client list demonstrates that the criminal law has a role in breaches of confidence.

Departing employees are the greatest threat to any organisation’s confidential information. Even if they are not motivated primarily by malicious intent towards the employer, many will consider taking confidential information with them that may be of use in their new role.

Such information is usually protected by the civil law relating to confidentiality.  Many employees in senior or technical positions will have extensive confidentiality obligations in their contracts.  Even where there is no express obligation, the law will often infer a duty of confidence.  This often forms the basis of an injunction to deliver up or destroy such information and other prohibitions to prevent former employees and their new employer gaining an unfair advantage from a breach of confidence.

By contrast, the criminal law in the United Kingdom does not contain many offences specifically directed at breach of confidence or corporate espionage, despite concerns that the civil law is insufficiently dissuasive in dealing with breaches by individuals with very few assets.  An observation was made in the House of Commons in 1968 that the boardroom table is better protected from theft than the boardroom secrets. That remains largely true.

However, a recent prosecution by the Information Commissioner provides an example of criminal liability for a breach of confidence by a former employee.  An employee at a Widnes recruitment agency emailed a list of 100 clients to her personal email address upon leaving for a rival.  The employee was prosecuted for breach of section 55 of the Data Protection Act relating to obtaining or disclosing personal data without the consent of the data controller.  She was fined £200 and ordered to pay £214 prosecution costs and a £30 victim surcharge.

Although the sanction for the offence was modest in this instance, the dissuasive effect of a criminal conviction is likely to be considerably more than a mere civil law remedy.  As a result, employers dealing with breaches of confidence by departing employees should consider the data protection issues arising, both in terms of their own responsibilities as data controllers and because of the possibility of an ICO prosecution.

Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.

This site uses cookies to improve your user experience. By using this site you agree to these cookies being set. To find out more see our cookies policy