Criminal offences under the Data Protection Act: a reminder
A car rental manager has pleaded guilty to unlawfully obtaining personal data as a result of accessing over 200 customer records. The ICO press release points out that the case is a reminder to employees that “Just because your job may give you access to other people’s personal information, it doesn’t mean you have the legal right to look at it whenever you like”.
The employee had worked for Enterprise Rent-A-Car, who were alerted to a potential concern after the employee visited his workplace outside scheduled hours on a Sunday. The employee was dismissed for gross misconduct following an internal investigation in which he confirmed that he had accessed records which he had no reason to access. He pleaded guilty to the offence of unlawfully obtaining personal data under s170 of the Data Protection Act 2018 and was fined £265 plus costs and a victim surcharge.
No additional evidence was found to show Mr Saleem had sold the data or made any financial gain; which is why he was charged with unlawfully obtaining the data.
This case is a good reminder to:
- Make clear in your data protection policy that employees/others with access to your data should not be accessing personal data that is not relevant to their role. This will enable you to take swift action where appropriate;
- In advance of any data issue, ensure you have adequate internal or external IT support lined up to assist in a crisis moment such as an urgent investigation or a cyber-attack. You should also keep under review who has access to what data and the technical measures in place to minimise risk of data misuse;
- If you have a concern that an employee or anyone else with lawful access to your data is accessing personal data that they should not be accessing, you should:
- Act swiftly in seeking to mitigate the damage to data subjects (whether staff, students or others);
- Consider both the civil and criminal actions that could be relevant against the individual;
- Consider what action you should take to mitigate the damage caused;
- Remember that this is likely to be a data breach under the UK GDPR, so consider your reporting obligations to the ICO or the affected data subjects.
Should you need any assistance with these matters, please contact the author or your usual Mills & Reeve contact.