Do your staff realise they can be prosecuted for unlawfully accessing your data?

These three (presumably) didn't and now have criminal convictions.

01.04.2019

Faye Caughey worked for an NHS Foundation Trust and was authorised to access records as part of her job. She misused her position to access the personal details of seven family members and seven children known to her. She pleaded guilty and received a fine.

Jayana Davies forwarded several work emails to her personal account containing personal data of customers and other employees before resigning from her role at V12 Sports and Classics Ltd.  She also admitted the offences and was fined.

Kevin Bunsell worked in local government and emailed the personal information of nine rival shortlisted candidates to his partner’s Hotmail account who had also applied for the job. The recruitment packs included the name, address, telephone number and CV of each candidate. He admitted the offence and was fined.

These cases demonstrate that the Information Commissioner will prosecute individuals who breach the law.   

You can be held vicariously liable for the actions of your employees where their job involves processing data and there is a “close connection” between that processing and their wrongful conduct - even, as Morrison's recently found out, the employee acts maliciously and in breach of their procedures.

Training

Whilst you can never completely eradicate the risk of an employee's curiosity getting the better of them, or downloading materials for personal gain, you should make sure your workforce understands what they can and cannot do and what may happen if they break these rules.

Employees are likely to understand that they can be sacked if they misuse information but may not know they can also be prosecuted. We recommend that you spell this out in your policies and any training you deliver. This will deter most employees from snooping around and will minimise the risks to your organisation and reputation. 

Reporting data breaches

Under GDPR, which came into force last year, all organisation have to report any data breaches to the ICO within 72 hours, unless the breach is unlikely to result in a risk to the rights and freedoms of the individual/s affected. Plus, you may also have to notify the individual themselves.

Need more information?

Sarah Birkbeck is one of our data protection experts and can help you to decide if you need to notify the ICO of any breaches.

Mike Shaw, head of the criminal investigations team at the ICO, said: “People expect that their personal information will be treated with respect and privacy. Unfortunately, there are those who abuse their position of trust and the ICO will take action against them for breaking data protection laws.”
https://www.localgovernmentlawyer.co.uk/information-law/398-information-law-news/40135-nhs-employee-fined-for-unlawfully-accessing-personal-records

Key Contacts

Related Articles

  • Understanding the Equality Act 2010: EHRC updates its guidance for schools and colleges
    Expert Comment
    Understanding the Equality Act 2010: EHRC updates its guidance for schools and colleges
    New guidance for schools
  • The SEND White Paper: our view
    Expert Comment
    The SEND White Paper: our view
    The Government’s SEND White Paper aims to create a more inclusive and streamlined system. While we welcome that ambition, the proposals raise important practical concerns about how the system will work in practice.
  • Gender neutral toilets in primary school breached regulations and indirectly discriminated against girls
    Expert Comment
    Gender neutral toilets in primary school breached regulations and indirectly discriminated against girls
    In DE and FG v West Lothian Council the parents of a five-year old girl brought judicial proceedings against a Scottish local authority because the toilet facilities in one of its newly built schools were gender-neutral. They argued the council had breached relevant regulations and its toilet policy indirectly discriminated against girls. They also alleged that the effect of the policy harassed their daughter.

Recognised for excellence. Chosen for care.

  • Legal 500 Top Tier Firm UK 202
  • alt tzt
  • Sunday Times Best Places to Work 2025