Keeping Personal Data Safe and Secure.

By Andrew Knorpel on 16th June 2016

If you want to maintain your corporate reputation and have an advantage over your competitors, you’ll want (amongst other things) to keep your customer data safe and secure.  In order to do so, you’ll have internal processes requiring keys and passwords for staff to access particular records; but there’s far more to data security than that.

Every contract of employment should have a clause dealing with confidential information, making it clear what it includes and that it is not just limited to documents marked “confidential”.  Staff should be trained on what amounts to confidential information and how they must protect that information from getting into the hands (accidentally or deliberately) of third parties.

The same advice applies equally to personal data as the seventh data protection principle requires all data controllers to take the appropriate technical and organisational security measures to prevent unauthorised or unlawful processing, accidental loss of or destruction or damage to personal data.  Despite this, we still regularly hear stories in the press when organisations’ computer systems have been hacked and customers’ passwords or financial records stolen.

At present, the International Commissions Office (‘ICO’) can impose fines on organisations which breach data protection legislation of up to £500,000.  However, the new General Data Protection Regulation (which comes into effect on 25 May 2018) will increase the limit on fines up to €20 million or 4% of worldwide turnover (whichever is higher).

But it’s not just the employer who can be penalised.  On two recent occasions, the press has reported how former employees have stolen or attempted to steal personal data when leaving their employer.  In April 2016, David Barlow Lewis pleaded guilty to the criminal offence of attempting to unlawfully obtain personal data when he asked one of his former colleagues at LV= via WhatsApp to sell him customer data. He was fined £300, ordered to pay £614.40 costs and a £30 victim surcharge.

Then in May 2016, Mark Lloyd pleaded guilty to unlawfully obtaining personal data after he had emailed information about 957 of his former clients at Acorn Waste Management Ltd to his personal email address just as he was about to start work at a competitor.  The documents contained personal information such as contact details, purchase history of customers and other commercially sensitive information.  He was fined £300, ordered to pay £405.98 costs and a £30 victim surcharge.  In their press release, the ICO reminded us that “Taking client records that contain personal information to a new job, without permission is a criminal offence”.

Data protection may not be the main topic of water-cooler chat, but the risk of criminal convictions for staff, substantial fines and reputational damage for employers should make training and investing in it a no-brainer for all businesses.

Insights.

Hurry up and wait – will the new employment tribunal procedure rules address the case backlog?
24th September, 2020

Will new employment tribunal procedure rules to cure the backlog? The backlog waiting to be heard has increased every week since lockdown began.

Registering a Birth during Lockdown
9th September, 2020

If you are looking to register your recent addition to ensure they officially 'exist', the Government has relaxed the 42 day law.

Virtual Will signing #SolicitorChat with The Law Society
3rd September, 2020

With rules changing this month Michael Brierley discussed virtual Will signing with The Law Society and other firms for #SolicitorChat.

Back to the Office?
3rd September, 2020

Back to the office? A lot to consider for both Employers and Employees to ensure all scenarios are covered.