A former employee of a waste management company has been fined for taking client data with him to his new job.
An employee may have spent a long time building and nurturing a list of client contacts. When they leave their job, they may think that this list should naturally move with them. After all, it was them who had worked hard on the client relationships and been able to collate this information, so they should be able to benefit from their efforts in their next job right? Wrong!
As he was preparing to leave his job at Acorn Waste Management Limited to work for a rival firm, Mark Lloyd emailed the details of 957 clients to his personal email account. The documents he emailed to himself contained details of clients’ personal information such as their contact details and purchase history.
The case was brought to court by the Information Commissioner’s Office and Mr Lloyd pleaded guilty to illegally obtaining client information and was prosecuted under section 55 of the Data Protection Act 1998. He was ordered to pay a £300 fine, a £30 victim surcharge and £405.98 in costs.
The law
It’s a criminal offence to take client information without permission, to a new job. Currently, the offence is dealt with in a Magistrates Court or Crown Court who can issue an unlimited fine. The Information Commissioner’s Officer has for a long time argued that this is not enough of a punishment or deterrent. It is pushing for courts to impose what it believes would be a more effective measure, such as the threat of prison.
Anyone who handles personal information must comply with the eight principles of the Data Protection Act, which states that personal information must be:
1. Fairly and lawfully used.
2. Handled for limited purposes.
3. Adequate, relevant and not excessive.
4. Accurate and up-to-date.
5. Not kept for longer than required.
6. Processed in line with the rights of the data subject.
7. Handled safely and securely.
8. Not sent to other countries without adequate protection.
Internal measures
The threat of criminal prosecution may act as a good deterrent for many employees, but employers must still take their own steps to prevent personal data being misused. Employers need to be making sure that they have adequate security measures in place and up-to-date policies, procedures and staff training available from the start of a person’s employment.
All employees need to be made aware that any documents containing personal data they have produced, worked on or have access to, belong to their employer. The information is not theirs to take with them when they leave the company. Even if an employment contract does not cover issues such as disclosure, there is still the general law on confidentiality. This prevents anyone from being able to take unfair advantage of information they have received in confidence while working for their employer.
Unless there was a clear understanding between the employer and employee that they would have rights to continue to use client lists, or any other information after they leave the employment, taking or copying this data is illegal.