Do you know who's looking at your data?
The new GDPR regulations have now been in place for over 18 months, and with the ICO issuing a substantial number of fines for data breaches, one ICO case that caught our eye relates to a fine issued to an individual personally for a data breach at work.
The case, prosecuted by the ICO and resulting in a fine of almost £700, is probably the best argument for trackable data/document software in the workplace, as it shows that companies take the data they collect seriously. The case involves Stockport Homes who manage the council houses for Stockport Council.
A customer service officer was fined £694.08 for accessing files relating to Anti-Social Behaviour Orders made against some of the council’s tenants. She had no business reason to access this information. She did not copy, transfer or email any information. It was concluded that she was just being nosey during her working day, no other intent proven.
The really interesting part…although only recently prosecuted, this data breach came to light during an audit which reviewed the officer’s access to the system between January and December 2017. The new GDPR regulations did not come into force until May 2018 but the individual was still fined for the breach, even though it took place before the regulations came into force.
Fortunately for Stockport Homes they were able to track the officer’s access and found that the officer was just prying, but in cases of deliberate and malicious data breaches by employees the employer can be held liable.
For example, in another case Morrisons were found vicariously liable by The Court of Appeal for a data breach by a disgruntled (now) ex-employee who stole 100,000 employees’ payroll details and tried to sell them on the dark web. Morrisons have appealed this judgement with the Supreme Court, not surprisingly because the maximum financial penalty for criminal prosecutions is unlimited! The disgruntled ex-employee was jailed for 8 years.
These cases highlight that even if the employer is not found liable for a breach, the potential damage to a company’s reputation with their employees, suppliers and of course customers could be far greater than any ICO fine. Who wants to deal with a company that can’t keep your data safe?
For more information and advice on this or current employment law legislation contact us on 01579 343700.