With the General Data Protection Regulations (“GDPR”) being hot topic of late, many employers have been updating their contracts, policies and introducing privacy notices in order to comply with the new law.


The key theme of the GDPR is that a person’s data must be protected by the person who holds or processes it.  This includes clients, staff and suppliers.  Whilst the amount of rights now available and the obligations of the person taking the data (“data controller”) has increased it has for many years been a legal requirement for businesses and their employees to try to keep data secure.

The Data Protection Act 1998 is still in force (albeit with certain amendments via the GDPR) and includes a section to state that a person must not “knowingly or recklessly, without the consent of the data controller (ie the person responsible for the data) obtain or disclose personal data”.

It was a breach of this section that led to a prosecution from the ICO directly against an ex-employee of Milton Keynes Hospital Trust.  In this case the former employee inappropriately accessed records of 12 patients outside of her role.  One of these records was her ex-partner who claimed that the information was then used to harass her.  The former employee was fined £134 for inappropriately accessing the information, £166 for disclosing it to another and £30 for the victim.

Whilst these fines are not huge, it is interesting to see the ICO with an appetite for directly prosecuting individuals, who knowingly and recklessly abuse their powers in relation to data protection.  With GDPR and the increasing public awareness of data protection laws, it is likely that there could be an increase in these types of cases.

So, in these cases an employee could face direct enforcement action by the ICO and misconduct proceedings from their employer.

Employers should consider:
• Updating their Data Protection Policies
• Ensuring clarity over what personal data may be processed by staff and what they are and are not allowed to access
• Awareness and Training to ensure that each member of staff is aware of the rules

Employees should be careful to consider their own use of data and be reminded by their employer that it is not simply the organisation that must be compliant with data protection laws, but each individual too.

For further information, please contact our commercial team on 01626 202404 or email, lawyer@wbw.co.uk.

This information has been prepared by WBW Solicitors LLP as a general guide only and does not constitute legal advice on any specific matter and should not be relied upon as such.