The issue of employees taking confidential business information or personal data when moving to a new employer remains a significant concern for businesses. While technology has evolved, the legal and regulatory expectations surrounding the handling of personal data have become considerably stricter since the introduction of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
One of the ICO’s earlier prosecutions involved an employee of a waste management company who emailed details relating to 957 clients to his personal email account before leaving to join a competitor. The information included commercially sensitive material as well as customers’ personal data, including contact details and purchasing history. The employee was prosecuted for unlawfully obtaining personal data and received a financial penalty.
The case followed other prosecutions involving employees attempting to misuse customer information for commercial advantage. Although these cases pre-date the current UK data protection regime, they continue to illustrate the ICO’s willingness to pursue individuals who deliberately misuse personal data.
What has changed?
Since these prosecutions, the legal landscape has changed significantly. The UK GDPR and the Data Protection Act 2018 introduced a more comprehensive framework governing the use of personal data and strengthened the powers available to the Information Commissioner’s Office (ICO).
Individuals who unlawfully obtain, disclose or retain personal data may now face criminal sanctions under the Data Protection Act 2018 in appropriate circumstances. In addition, organisations that fail to implement appropriate technical and organisational measures to protect personal data can face substantial regulatory fines and enforcement action.
For employers, the risks extend beyond regulatory action. Employees who remove customer lists, pricing information or other confidential business information may also expose themselves to civil claims for breach of contract, breach of confidence, misuse of confidential information and, where applicable, infringement of intellectual property rights.
The issue of employees taking confidential business information or personal data when moving to a new employer remains a significant concern for businesses.
Practical lessons for employers
Businesses should not assume that data theft is purely an IT security issue. Effective protection requires a combination of legal, technical and organisational measures, including:
- clear confidentiality and post-termination obligations in employment contracts;
- robust policies governing the use of company devices, email and cloud storage;
- monitoring and auditing of unusual data transfers, particularly during resignation periods;
- prompt removal of system access when employment ends; and
- regular training to ensure employees understand their data protection and confidentiality obligations.
Comment
Although the ICO continues to take action against organisations that fail to protect personal data, individuals should not overlook their own responsibilities. Employees who copy customer information or other personal data before leaving an organisation may face regulatory investigation, criminal prosecution in appropriate cases, civil claims from their former employer and serious reputational consequences.
For employers, these cases serve as a timely reminder that prevention is more effective than cure. Strong contractual protections, well-managed offboarding procedures and effective cybersecurity controls can significantly reduce the risk of valuable business information walking out of the door with departing employees.
If you need advice on protecting confidential information or data protection compliance, contact our Data Protection team for expert guidance.