Skip to main content

Do your staff realise they can be prosecuted for unlawfully accessing your data?

These three (presumably) didn't and now have criminal convictions. 

Faye Caughey worked for an NHS Foundation Trust and was authorised to access records as part of her job. She misused her position to access the personal details of seven family members and seven children known to her. She pleaded guilty and received a fine.

Jayana Davies forwarded several work emails to her personal account containing personal data of customers and other employees before resigning from her role at V12 Sports and Classics Ltd.  She also admitted the offences and was fined.

Kevin Bunsell worked in local government and emailed the personal information of nine rival shortlisted candidates to his partner’s Hotmail account who had also applied for the job. The recruitment packs included the name, address, telephone number and CV of each candidate. He admitted the offence and was fined.

These cases demonstrate that the Information Commissioner will prosecute individuals who breach the law.   

You can be held vicariously liable for the actions of your employees where their job involves processing data and there is a “close connection” between that processing and their wrongful conduct - even, as Morrison's recently found out, the employee acts maliciously and in breach of their procedures.


Whilst you can never completely eradicate the risk of an employee's curiosity getting the better of them, or downloading materials for personal gain, you should make sure your workforce understands what they can and cannot do and what may happen if they break these rules.

Employees are likely to understand that they can be sacked if they misuse information but may not know they can also be prosecuted. We recommend that you spell this out in your policies and any training you deliver. This will deter most employees from snooping around and will minimise the risks to your organisation and reputation. 

Reporting data breaches

Under GDPR, which came into force last year, all organisation have to report any data breaches to the ICO within 72 hours, unless the breach is unlikely to result in a risk to the rights and freedoms of the individual/s affected. Plus, you may also have to notify the individual themselves.

Need more information?

Sarah Birkbeck is one of our data protection experts and can help you to decide if you need to notify the ICO of any breaches.

Mike Shaw, head of the criminal investigations team at the ICO, said: “People expect that their personal information will be treated with respect and privacy. Unfortunately, there are those who abuse their position of trust and the ICO will take action against them for breaking data protection laws.””