UK data protection legislation, including the new GDPR, is enforced by the Information Commissioner’s Office (ICO). The ICO has the authority to issue monetary fines of up to 4% of a company’s annual worldwide turnover, or 20 million euros, for those in breach of their data protection duties.
Below we take a brief look at how nightmarish employee actions, pre-GDPR coming into force on 25 May 2018, both intentional and accidental, have resulted in hefty fines for their employers before looking at precautions that might help businesses avoid penalties.
It is difficult not to feel sympathy for Morrisons Supermarkets when, in 2014, a senior internal auditor, Andrew Skelton, intentionally leaked data relating to nearly 100,000 colleagues. The data, which included names, addresses, bank account details and salaries, was posted online and sent to newspapers.
In December 2017, the High Court decided Morrisons was vicariously liable for the breach, a decision which was recently confirmed by the Court of Appeal.
As for the first data leak class action in the UK, the supermarket is likely to take the case to the Supreme Court. If unsuccessful in their appeal, Morrisons not only faces “distress” compensation payments to 5,518 claimants but potentially a fine from ICO.
Blunders at work
Businesses are also at risk of innocuous employee mistakes that may result in financial penalties.
An employee in a “relatively junior position by grade” at Heathrow Airport recently lost a memory stick during their commute. By data breach standards, the personal information related to a relatively low number of people (60 individuals) and sensitivity, though the airport was still fined £120,000.
In December 2016, a police officer for Gloucestershire Police did not activate the ‘BCC’ function on his email system, and accidentally revealed identities of victims to 56 recipients. This incurred a fine of £80,000 due to the particularly sensitive nature of the information leaked.
In an equally unsympathetic approach, the Royal Borough of Kensington and Chelsea was fined £120,000 after a worker failed to withdraw corresponding personal details from a spreadsheet showing owned vacant properties in the area.
Data protection and prevention of data breaches should be at the heart of your businesses’ decisions when processing personal data. Below we have set out to reduce the risk of an employee-induced fine:
- Conduct a data audit, and delete information that is not needed
- Limit staff access to personal information that is only necessary in the performance of their role
- Use organisational and technical measures to prohibit use of removable media devices; where use is necessary, always encrypt personal data
- Maintain data protection policies
- Provide training to all employees – to reinforce liabilities for where employees themselves have been prosecuted for unlawful access (Clare Lawson; Daniel Short) and for intentionally leaking (Andrew Skelton, who went to prison)
- Use the ICO resources and helpline available
- Report any breach early.
Fines are less likely to be imposed where Employers have evidenced engagement with data protection and taken preventative steps to avoid data protection breaches.
Most fines have so far involved acts or omission occurring prior to 25 May 2018, but it is only a matter of time before we see the ICO issuing very large fines in line with the new threshold.
If you are concerned about data protection, taking steps to avoid a data protection breach or want assistance in handling such a breach, please do not hesitate to contact one of the employment team.