Personal data – just because you can access it, doesn’t mean that you should
The Information Commissioner’s Office (ICO) warns workers after a charity employee is prosecuted for data protection offences.
The prosecution of a charity worker who made copies of sensitive personal data serves as a warning from the ICO that people working with personal information must obey strict privacy laws.
On 22 February 2017, the charity worker sent 11 e-mails containing sensitive personal data of 183 vulnerable clients to his personal e-mail address without the knowledge of the data controller, his employer. Further investigation unveiled that he had sent similar data to his personal account on 14 June 2016. The personal data included full names, dates of birth, telephone numbers and medical information.
The worker admitted unlawfully obtaining personal data in breach of section 55 of the Data Protection Act 1998 (DPA) and was given a conditional discharge for two years. He was also ordered to pay prosecution costs of £1,845.25, as well as a victim surcharge of £15.
Under section 55 of the DPA, it is a criminal offence to knowingly or recklessly, without the consent of the controller:
- obtain or disclose personal data or the information contained in personal data; or
- procure the disclosure to another person of the information contained in personal data.
Over the course of 2016 / 2017, the ICO have taken action against a number of Health Sector employees for accessing personal data and sensitive personal data without any business need to do so and without the consent of the data controller. The Head of Enforcement at the ICO said:
“People have a right to expect that when they share their personal information with an organisation, it will be handled properly and legally. That is especially so when it is sensitive personal data.
People whose jobs give them access to this type of information need to realise that just because they can access it, doesn’t mean they should. They need to have a valid legal reason for doing so.”
Anyone who processes personal information must comply with the UK’s data protection laws, currently set out under the DPA. From 25 May 2018, however, the General Data Protection Regulation (GDPR) will replace the DPA, harmonising data protection laws across the EU. Under the GDPR, there is no equivalent provision to section 55 of the DPA. However, Recital 149 of the GDPR allows Member States to lay down the rules on criminal penalties for infringements of the GDPR, including infringements of national rules adopted pursuant to and within the limits of the GDPR.
The Data Protection Bill, which will bring the GDPR into UK law, includes an equivalent provision to that currently contained in section 55 of the DPA. As well as offences (a) and (b) set out above, section 161 of the Data Protection Bill also introduces an offence for a person, knowingly or recklessly:
- after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained.
This latest enforcement action taken by the ICO serves as a reminder to workers of the existence of this offence and of the requirements on them, as individuals, to obey with the UK’s strict privacy laws. Employers should seek to ensure that their staff are trained and understand how to handle personal information in compliance with the (fast-approaching!) GDPR.
This article was co-written by Rhea McKenzie (firstname.lastname@example.org)