Data Protection Legislation & Ex-Employees
An interesting legal decision was recently delivered which puts a slightly different spin on the issue of employees who leave and take company data with them. The Information Commissioner’s Office reported, on 26th May :
“Mr Mark Lloyd has been prosecuted at Telford Magistrates’ Court for the offence of unlawfully obtaining data. The defendant, who worked at a waste management company in Shropshire, emailed the details of 957 clients to his personal email address as he was leaving to start a new role at a rival company. The documents contained personal information including the contact details of customers, as well as purchase history and commercially sensitive information.
Mr Lloyd pleaded guilty to the offence under section 55 of the Data Protection Act, and was fined £300, ordered to pay £405.98 costs and a £30 victim surcharge.”
This scenario is not uncommon and the usual action is one against the former employee in the civil courts for breach of contract and, in particular, of the duty of confidentiality. The issue of whether customer details are “confidential” has been the subject of several legal cases and the consensus of opinion is that if the details can be held in the employee’s head then they are not confidential. So, for example, the former employee may remember than Jane Smith works for ABC Limited, searches out her telephone number and email address on the internet and then contacts her. This would not be a breach of confidentiality. However, if the former employee forwards the outlook contact to his personal email address, that would be a breach of confidentiality and, if it was presumably done whilst he was still an employee, a breach of his duty of fidelity which he owes to his employer.
There is also the question of whether a company database, even if it holds records which are, largely, in the public domain, can be confidential information. It seems that it can be but would also be intellectual property of the company which cannot be copied or used by employees for anything other than their employer’s business.
Section 55 Data Protection Act 1998 states that
A person must not knowingly or recklessly, without the consent of the data controller—
- obtain or disclose personal data or the information contained in personal data, or
- procure the disclosure to another person of the information contained in personal data.
There is scant detail in the case report released by the ICO but one presumes that the former employer reported Mr Lloyd to the ICO for breach of s55 which resulted in the prosecution. What we do not know is whether the company also pursued Mr Lloyd in the civil court and what sanction was issued against him.
As with all of these things, the devil will be in the detail. The company will be in a much stronger position to enforce its rights if there are clear and concise policies in place setting out employees’ duties regarding the use of customer information and their obligations under the Data Protection Act 1998. There should also be a well worded contract of employment in place which makes clear what is deemed to be confidential information and company property.
If you would like to discuss any of the issues in this post please call or email a member of the Employment Team.