Data protection prosecutions and employer liability
Ibrahim Hasan considers the prosecution of employees for data protection offences and the potential liability of their employers.
Rogue workers accessing and abusing personal data for their own gain is a perennial issue for organisations with vast databases of personal data that may have commercial value. Section 170 of the Data Protection Act 2018 makes it a criminal offence for a person to knowingly or recklessly:
(a) obtain or disclose personal data without the consent of the controller,
(b) procure the disclosure of personal data to another person without the consent of the controller, or
(c) after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained.
In June 2023, the ICO disclosed that since 1st June 2018, 92 cases involving S.170 offences were investigated by its Criminal Investigations Team. A recent prosecution involved a man who worked for Enterprise Rent-A-Car where he illegally accessed customers’ records. He was ordered to pay a fine of £265, along with costs of £450 and a victim surcharge of £32. S.170 is similar to the offence under section 55 of the old Data Protection Act 1998. S.55 can still be used to bring a prosecution where an offence pre-dates the current S.170 coming into force.
In August, Jonathan Riches pleaded guilty under S.55 at Cardiff Crown Court. Mr. Riches, also a former employee of Enterprise Rent-A-Car, left the company in 2009 to establish his own personal injury firm. However, he remained in contact with former colleagues, through whom he illegally obtained details of individuals involved in road traffic accidents, then contacted them to offer legal services. At one point, Mr. Riches, through his accomplices, gained access to Enterprise’s internal database, allowing him to retrieve clients’ personal details.
Previously, Mr. Riches had been ordered to pay Enterprise Rent-A-Car a £300,000 civil settlement. He was later interviewed by the ICO, which led to him being summoned to court in 2016. However, having relocated to the United States, he failed to appear, prompting a warrant for his arrest. He eventually returned to the UK and surrendered to authorities in 2024.
Mr. Riches’s accomplices in the crimes had all been sentenced earlier. Judge Francis described Riches’s actions as part of a sophisticated and long-running scheme that involved a cynical breach of trust. He fined £10,000, plus £1,700 in costs.
Of course prosecutions for mishandling personal data would have a much greater deterrent effect if the available sanctions included a custodial sentence. Successive Information Commissioners have argued for this but to no avail. This has led to some cases being prosecuted under section 1 of the Computer Misuse Act 1990 which carries tougher sentences including a maximum of 2 years imprisonment on indictment. In July 2022, a woman who worked for Cheshire Police pleaded guilty to using the police data systems to check up on ex-partners and in August 2022, the ICO commenced criminal proceedings against eight individuals over the alleged unlawful accessing and obtaining of customers’ personal data from vehicle repair garages to generate potential leads for personal injury claims.
Employer liability
If a disgruntled or rogue employee commits an offence under section 170, might their employer also be liable for the consequences?
In 2020, the Supreme Court ruled that as an employer, Morrisons Supermarket could not be held responsible when an employee, Andrew Skelton, uploaded a file containing the payroll data of thousands of Morrisons employees to a publicly accessible website as well as leaking it to several newspapers. The court decided that, whatever Skelton was doing when he disclosed his colleagues’ personal data, he was not acting “in the course of his employment”, and accordingly no vicarious liability could be imposed under the old Data Protection Act 1998.
However, Morrisons lost on the argument that the DPA 1998 operated so as to exclude vicarious liability completely. This principle can also be applied to the GDPR and so employers can “never say never” when it comes to vicariously liability for malicious data breaches by staff. It all depends on the facts of the breach.
This case only went as far as it did because the Morrisons employees failed to show, at first instance, that Morrisons was primarily liable for the data breach. If an employer fails to comply with its security obligations in a manner that is causally relevant to a rogue employee’s actions, it can still be exposed to primary liability under Article 32 of GDPR as well as the 6th Data Protection Principle which both impose obligations to ensure the security of personal data.
Ibrahim Hasan is a solicitor and director of Act Now Training.
This and other data protection developments will be discussed in detail on Act Now's forthcoming GDPR Update workshop.