THE high levels of publicity given to whistleblowers such as Julian Assange and Edward Snowden underscore the risks of an employee disclosing confidential information relating to their employer’s business when they regard disclosure as being in the public interest, writes Scott Kerr.
In a recent case an employee at supermarket chain Morrisons disclosed the personal information, including bank account details, of 100,000 employees. The person responsible not only sent the data to a newspaper but published it online.
This highlights the risks to employers – and to all of us whose data is held – of personal information becoming publicly available.
The Data Protection Act is the legislation which regulates the holding and use of personal data – setting out eight general principles which are to be followed by anyone who controls personal data. The principles set out how this data should be collected, held, processed and, perhaps most importantly, secured.
All businesses will hold and process personal data. Simply holding such data means that businesses are required to register with the Information Commissioner’s Office (ICO). Earlier this month, a Cardiff company was prosecuted because it unlawfully processed personal data of customers without notifying the ICO. The company and its director were fined and convicted of a criminal offence.
But registration alone is not sufficient. A business must have in place policies setting out how it will collect the data, how that will be processed and, most importantly, how it should be protected. And where, as in the Morrisons example, there is a security breach, the ICO will seek to establish what policies and practices are in place.
There is no reason to doubt that Morrisons has data protection policies in place, that those are implemented and they include how to deal with security breaches. Morrisons would certainly appear to have taken appropriate action – the security breach was made public; all those employees affected were advised of it, and steps to assist were put in place, but it is still a huge public relations blow.
PR issues, however, are not the only concern. The ICO, tasked with policing data protection issues and compliance with the act, has the power to investigate and, if it considers appropriate, impose fines. There will be a breach if appropriate data protection policies are not in place. There will be a breach if these policies are not applied. There will be a breach where data is lost and the data controller is seen as being at fault. The ICO can issue fines of up to £500,000 – and has done so.
Whatever the background, Morrisons’ policies and practices will still be investigated. Assuming they are robust and appropriate, that will be the end of the matter, but the PR issues will continue and the cost of those cannot be calculated.
For most businesses a significant fine could be fatal. And the risk of a rogue employee with access to data breaching security is always there. It is a timely reminder to all businesses of the need to recognise their obligations under the Data Protection Act.
• Scott Kerr is a partner at commercial law firm McClure Naismith LLP, specialising in intellectual property law and data protection.