What happens to employees who breach data protection rules?

The Information Commissioner’s Office (ICO) provides regular website updates on its latest enforcement action against organisations and, in some cases, individuals.

This action can include monetary penalties, enforcement notices, undertakings and prosecutions.

This demonstrates the ICO’s power in enforcing data protection compliance  and also highlights organisations’ failings in complying with legislation and how it can be rectified. A link to the page can be found here.

In this article, Rhiannon Hastings, data protection paralegal in our commercial team, summarises the outcomes of two recent cases involving an employee accessing confidential client data.

Case 1: Former RAC employee steals data of victims of road traffic incidents

On 1 February 2023, the ICO found a former RAC employee (Asif Iqbal Khan) guilty of stealing data of road traffic accident victims.

The RAC launched an internal investigation after receiving 21 complaints from drivers who had received nuisance calls from several claims management companies following accidents.

The investigation found Mr Khan had accessed all 21 individuals’ files and had taken photos of his computer screen with his phone.

The ICO conducted a search warrant, seizing two phones belonging to Mr Khan and a customer receipt for £12,000.

The phones contained photos of data (including personal data) relating to over 100 road accidents.

Mr Khan pleaded guilty to two counts of stealing data and was fined £5,000 as well as court costs.

Case 2: Former 111 call centre advisor illegally accesses medical records

On 17 February 2023, the ICO found a former 111 call centre advisor (Martin Swan) guilty of illegally accessing medical records  of a child and his family.

Following a complaint made against Mr Swan by the child’s father, he accessed personal records without consent.

He also produced screenshots of the child’s patient notes at an internal investigation meeting in June 2016.

After the meeting, Mr Swan continued to contact the child’s father to accuse him of falsified events. Due to this, Mr Swan was shortly dismissed from the call centre for gross misconduct.

After the ICO launched an investigation against Mr Swan, he pleaded guilty to five counts of unlawfully obtaining personal data. As a result, he was fined £630 and court costs totalling £1,093. 

Data protection advice

The cases demonstrate abuse of position and mishandling of personal data in the workplace and use of personal data for commercial gain. Both outcomes lead to enforcement against the employee concerned. 

Cases such as these highlight the importance of staff training and understanding of data protection legislation, obligations and implications.

Our data protection team can support you with bespoke advice regarding data protection compliance in your organisation should you require support in updating and/or implementing a framework to ensure your staff comply with UK data protection legislation in the workplace.  

For more information on these cases, or for advice from our data protection team, get in touch with Rhiannon directly using [email protected] or 0191 211 7891.