There has been much highlighting of the high level fines which can be imposed under the GDPR for data protection breaches. What is less known is that individuals can be prosecuted and subject to fines for data protection offences on a personal basis. This has been the case for some time under s.55 of the Data Protection Act 1998, which made it an offence to obtain, disclose or procure the disclosure of personal data without the consent of the data controller, or to sell such data. This provision is now replicated in s.170 of the Data Protection Act 2018, which adds retaining data without consent as an offence.
A number of prosecutions for such offences have been reported recently by the ICO, which were carried out under the 1998 Act due to the offences occurring prior to the GDPR coming into force.
These include:
These cases illustrate the potential consequences of data protection breaches for employees. As well as being subject to potentially unlimited fines or imprisonment, consequences can go beyond this to, for example, loss of employment or reputational damage. Cases which gain media attention could also affect future career prospects if an employee is considered to be untrustworthy with personal data, particularly given the potential implications for their employers who may be vicariously liable for their actions (see our blog on vicarious liability for more information – although it should be noted that this decision is currently being appealed).
Given the potential for vicarious liability, employers may be concerned about how to prevent employees from acting in a manner which breaches data protection law and potentially has consequences for the business.
Data protection breaches are frequently dealt with under disciplinary procedures, and may be cause for dismissal if the employee’s conduct is sufficiently serious. However, as with any dismissal, all the circumstances have to be considered and factors which may be of relevance are whether the employee knew that their actions were a breach of data protection rules, or had been warned previously about such conduct.
Employee training can be a useful way of ensuring employees are aware of what amounts to a breach and what action they can take in order to avoid causing a data breach. Individuals should also be aware of their responsibilities and the possibility of personal consequences if they act in breach of data protection legislation.