What happens to employees who breach data protection rules?
This article was updated on 7 November 2024 to reference a more recent case of an employee breaching data protection rules.
The Information Commissioner’s Office (ICO) provides regular website updates on its latest enforcement action against organisations and, in some cases, individuals.
This action can include monetary penalties, enforcement notices, undertakings and prosecutions.
This demonstrates the ICO’s power in enforcing data protection compliance and also highlights organisations’ failings in complying with legislation and how it can be rectified. A link to the page can be found here.
In this article, Rhiannon Hastings, data protection paralegal in our commercial team, summarises the outcome of a recent case involving an employee accessing confidential client data.
Case: A representative discloses personal data to an unauthorised individual
On 19 August 2022, the ICO found a representative of two children (Jackson Quinn), in relation to a step-parent adoption hearing at the family court, had shared two reports to the biological father who was representing himself at the hearing.
The two reports contained information relating to the children, their mother, her husband and other family members which disclosed current photographs, the details of the children’s school and the family’s residential address.
The social workers prepared the two reports for the court. However, Jackson Quinn mistakenly sent unredacted copies of the reports to the prison where the biological father was currently serving time.
At the time of the hearing, the biological father was serving a custodial prison sentence for three convictions of rape of the mother. He was deemed to pose a high risk to the mother, meaning there was a severe concern he would use the information in the two reports to locate her, her husband and family and seek to cause them harm.
After a review of the two reports, it transpired the family’s residential address referred to was no longer the current residential address at the time of the hearing lowering the risk of harm. However, due to a failure in properly redacting the documents, a risk still existed.
The ICO requested copies of Jackson Quinn’s data protection policy which confirmed it was not compliant with the data protection legislation.
In addition, no policy existed to cover a procedure in managing a personal data breach which was also a breach to the data protection legislation.
Due to the change in residential address, the ICO chose to issue Jackson Quinn with a reprimand on the basis that the severity of the risk had been reduced.
However, he received the following actionable recommendations to prevent an incident such as this from occurring again:
- Implement the appropriate policies and procedures to prevent and, in the event one occurs, set out how to minimise the effect of a personal data breach; and
- Introduce some staff training on the use of adequate redaction software.
To put this into perspective, if the residential address referred to in the two reports was the current residential address, Jackson Quinn would have at least received an enforcement notice with the possibility of receiving a penalty fine given the nature of the personal data breach would have posed a “high risk” to the rights and freedoms of those affected.
Data protection advice
The case demonstrates an incident where an employee mishandles personal data in the workplace and the consequences for the organisation depending on the severity of the personal data breach.
Cases such as this highlight the importance of staff training and understanding the data protection legislation, the obligations in using personal data and the implications in breaching the data protection legislation.
Our data protection team can support you with bespoke advice regarding data protection compliance in your organisation should you require support in updating and/or implementing a framework to ensure your staff comply with UK data protection legislation in the workplace.
For more information on these cases, or for advice from our data protection team, get in touch with Rhiannon directly using [email protected] or 0191 211 7891.
Potentially yes – should a data breach arise from an employee’s failure to follow the policies and procedures and employer has put in place (such as a data protection policy), this may form the grounds for disciplinary action. Repeated breaches, or a significant breach capable of constituting gross misconduct, could lead to the employee’s dismissal following a fair disciplinary process as required. However, without a policy in place which sets out these potential repercussions, an employer is likely to struggle to fairly discipline or dismiss an employee for a data breach.
As the likely data controller, employers are subject to strict and stringent requirements from the ICO, and risk facing harsh penalties should they not be followed. Although the ICO may pursue employees directly for breaching data protection legislation, an employer will be vicariously liable for the actions of their employee where the employee is acting “in the course of their employment” or to further the employer’s business.
Both employers and employees may face prosecution from the ICO for unlawful processing (including data breaches) which could result in monetary penalties.