The Information Commissioner’s Office (ICO) has recently prosecuted an employee who transferred information about his company’s clients before moving to a new job.
The employee worked at a waste management company and, before leaving to work at a rival company, emailed the details of 957 clients to his personal email address. The documents contained commercially sensitive information, as well as personal information including the contact details of customers and their purchase history.
The employee pleaded guilty to the offence of unlawfully obtaining data and was fined £300, ordered to pay £405.98 costs and a £30 victim surcharge. This follows on from a similar case in April 2016 where a former employee of the insurance company LV= was also fined £330 for attempting to get an existing employee to sell customer data to him.
The Courts are currently limited to imposing a fine for these offences (albeit the fine is unlimited). Although the Criminal Justice and Immigration Act 2008 makes unlawfully obtaining personal data punishable by up to 2 years in prison, this is yet to be enacted and it is not known when this will come into force. Earlier this year, the ICO called for tougher sentencing powers for people convicted of stealing personal data but, for the time being, it seems that the ICO is following through in its warning that "anyone who tries to unlawfully obtain, disclose or sell personal data should expect to see themselves hauled before the courts".