07 January, 2020
As covered in the May edition of this newsletter, criminal offences that can be committed under the Data Protection Act 2018 (DPA 2018) have serious, but often overlooked, potential impact. We examined the statutory changes; which offenses have been added, where old offences can be found in the new legislation etc. but it is beneficial to look at the ongoing trends in actual prosecutions going through the courts over the past year.
All of the court cases discussed here were brought under the previous legislation, the Data Protection Act 1998 (DPA 1998) due to the fact the crimes were committed before 25th May 2018 when the new legislation came into effect. The offenses examined here are still offences under the new legislation.
Please see the May edition for further details of the changes, which includes new sentencing thresholds, to the offences covered in this article.
The main data protection offences which has been prosecuted over the last year have been under section 55 of the DPA 1998 (now section 170 of the DPA 2018). This involves someone illegally obtaining or disclosing personal data by an individual.
This offence has applied to both organisations as well as individuals; although over the past year all prosecutions (ten in total) have involved individuals accessing personal data outside of a professional need. Of these ten prosecutions, eight were for individuals unlawfully accessing records, one was for unlawfully sharing records and one was for unlawfully selling records to another party.
Of the eight prosecutions for accessing personal data there is a trend in the defendant's being from mostly administrative roles, often accessing data out of curiosity rather than anything more nefarious. The types of data being accessed reflects this, with criminal offence data, witness statements and medical records being a recurring theme, as well as the accessing of information regarding friends and family of the defendants.
Concurrent to the accessing itself, several defendants ran afoul of the law by emailing personal data to their own non-work email accounts without a justification to do so. Organisations IT policies and Bring Your Own Device (BYOD) policies should inform staff exactly when and how they can use personal data on their own devices, minimizing the risk of such prosecutions.
In nearly every case the sentence involved a fine of between £400-£1,000, the payment of costs (several hundred pounds further) and a victim surcharge of £20-£50.
Alongside unlawfully accessing someone's personal data, there has also been a recent prosecution for unlawfully sharing such data.
In February of this year, a former senior local government officer was prosecuted for passing the personal information of rival job applicants to his girlfriend who had applied for a job at the Council. Kevin Bunsell accessed the authority's recruitment system then emailed the details of nine rivals who had been shortlisted to his girlfriend's email account. This included the name, address, telephone number and CV of each candidate.
Appearing before Nuneaton Magistrates' Court, Mr Bunsell admitted unlawfully sharing personal data, in breach of s55 of the DPA 1998 and was fined £660, ordered to pay costs of £713.75 and a pay a victim surcharge of £66.
The final prosecution we shall look at under S55 of the DPA 1998 regards a former managing director of a claims management company who unlawfully obtained and sold personal data has been prosecuted.
David Cullen was the managing director of No1 Accident Claims Limited, who obtained and sold personal data relating to policy holders of car insurance who had been involved in accidents.
Mr Cullen appeared before Manchester Crown Court on 21 counts of unlawfully obtaining and selling personal data in breach of S55 of the DPA 1998, being sentenced to a fine totalling £1050, ordered to pay costs of £250 and was disqualified from being a director for five years.
A confiscation order under the Proceeds of Crime Act 2002 was commenced for £1,434,679.60, however due to Mr Cullen's lack of assets, a £1 nominal order was made.
Whilst the fine of £1050 is in line with the other S55 prosecutions, the scale of the illegality is reflected by the confiscation order and barring of Mr Cullen from being a director for five years. Where admin staff who have unlawfully accessed personal data can likely expect to lose their employment, the directorship barring order should be taken as fair warning to senior management and leaders in organisations that they are not immune from their own misdeeds, even if they own then company themselves.
The final prosecution we shall examine involves the prosecution of a limited company who failed to comply with an Enforcement Notice which had been served by the ICO in relation to a failed subject access request made by a member of the public.
At a hearing before Westminster Magistrates' Court the defendant, Magnacrest Limited, pleaded guilty to an offence under section 47(1) of the Data Protection Act 1998, being sentenced to a fine of £300, and ordered to pay costs of £1,133.75, with a £30 victim surcharge.
Whilst this prosecution was for failing to comply with an Enforcement Notice form the ICO, it highlights the danger organisations can be in form a legal point of view if they do not fully comply with data subjects right requests. As can be seen from the 'field test' covered in the SAR article in this issue, 13% of requests from that set of test organisations wholly failed to respond to a request at all which can easily lead to a similar prosecution as seen here.
Administrative staff unlawfully accessing personal data are one of the biggest risks to organisations. The prosecutions shown above came from a diverse range of organisations; private companies, the judicial system, GP practices and NHS Trusts, local government and the education sector.
Sectors which handle more personal data than others will be inherently be more vulnerable to unlawful acts by staff, though all organisations who process personal data, no matter how small, need to protect themselves from such action through thorough training which explains how to lawfully use personal data held by the organisation.
Individual fines and costs may be low, but repercussions can also include termination of employment or even being barred from acting as a director. Staff, leadership, directors or organisations themselves can and are prosecuted for data protection offences - compliance is a 360 degree issue
For more information contact Daniel Milnes in our Governance, Procurement & Information department via email or phone on 01254 222313. Alternatively send any question through to Forbes Solicitors via our online Contact Form.