skip to main content

What happens to employees who breach data protection rules?

20th Mar 2023 | Commercial Law | Data Protection & Information Law
Several icons, including a padlock, cloud, and phone, overlaid over a photo of a man holding a tablet.

The Information Commissioner’s Office (ICO) provides regular website updates on its latest enforcement action against organisations and, in some cases, individuals.

This action can include monetary penalties, enforcement notices, undertakings and prosecutions.

This demonstrates the ICO’s power in enforcing data protection compliance  and also highlights organisations’ failings in complying with legislation and how it can be rectified. A link to the page can be found here.

In this article, Rhiannon Hastings, data protection paralegal in our commercial team, summarises the outcomes of two recent cases involving an employee accessing confidential client data.

Case 1: Former RAC employee steals data of victims of road traffic incidents

On 1 February 2023, the ICO found a former RAC employee (Asif Iqbal Khan) guilty of stealing data of road traffic accident victims.

The RAC launched an internal investigation after receiving 21 complaints from drivers who had received nuisance calls from several claims management companies following accidents.

The investigation found Mr Khan had accessed all 21 individuals’ files and had taken photos of his computer screen with his phone.

The ICO conducted a search warrant, seizing two phones belonging to Mr Khan and a customer receipt for £12,000.

The phones contained photos of data (including personal data) relating to over 100 road accidents.

Mr Khan pleaded guilty to two counts of stealing data and was fined £5,000 as well as court costs.

Case 2: Former 111 call centre advisor illegally accesses medical records

On 17 February 2023, the ICO found a former 111 call centre advisor (Martin Swan) guilty of illegally accessing medical records  of a child and his family.

Following a complaint made against Mr Swan by the child’s father, he accessed personal records without consent.

He also produced screenshots of the child’s patient notes at an internal investigation meeting in June 2016.

After the meeting, Mr Swan continued to contact the child’s father to accuse him of falsified events. Due to this, Mr Swan was shortly dismissed from the call centre for gross misconduct.

After the ICO launched an investigation against Mr Swan, he pleaded guilty to five counts of unlawfully obtaining personal data. As a result, he was fined £630 and court costs totalling £1,093. 

Data protection advice

The cases demonstrate abuse of position and mishandling of personal data in the workplace and use of personal data for commercial gain. Both outcomes lead to enforcement against the employee concerned. 

Cases such as these highlight the importance of staff training and understanding of data protection legislation, obligations and implications.

Our data protection team can support you with bespoke advice regarding data protection compliance in your organisation should you require support in updating and/or implementing a framework to ensure your staff comply with UK data protection legislation in the workplace.  

For more information on these cases, or for advice from our data protection team, get in touch with Rhiannon directly using [email protected] or 0191 211 7891.


Frequently Asked Questions
Can an employee be dismissed for a personal data breach?

Potentially yes – should a data breach arise from an employee’s failure to follow the policies and procedures and employer has put in place (such as a data protection policy), this may form the grounds for disciplinary action. Repeated breaches, or a significant breach capable of constituting gross misconduct, could lead to the employee’s dismissal following a fair disciplinary process as required. However, without a policy in place which sets out these potential repercussions, an employer is likely to struggle to fairly discipline or dismiss an employee for a data breach.  

Who is responsible for a personal data breach at work?

As the likely data controller, employers are subject to strict and stringent requirements from the ICO, and risk facing harsh penalties should they not be followed. Although the ICO may pursue employees directly for breaching data protection legislation, an employer will be vicariously liable for the actions of their employee where the employee is acting “in the course of their employment” or to further the employer’s business.

What are the penalties for a personal data breach?

Both employers and employees may face prosecution from the ICO for unlawful processing (including data breaches) which could result in monetary penalties.  

Share this story...