A common scenario in which businesses can be left particularly vulnerable is where an employee leaves their job and takes a list of clients with them to a rival company.
In addition to seeking an injunction to enforce any restrictive covenants (assuming they are not void in restraint of trade), an aggrieved employer looking to protect legitimate business information may be well advised to report its former employee to the Information Commissioner for an alleged breach of the Data Protection Act 1998.
An example of this can be found in the case of Rebecca Gray who was recently convicted at Warrington Magistrates’ Court on 18 January 2017 of an offence contrary to Section 55 of the Data Protection Act.
Section 55 makes it a criminal offence to knowingly or recklessly, without the consent of the data controller, obtain or disclose personal data, or to procure the disclosure of personal data to another.
The defendant, who worked in recruitment, emailed the contact details of over 100 clients to her personal email address and used the information to contact them in her position at a rival recruitment company.
In addition to being given a criminal conviction the defendant was fined £200, ordered to pay £214 prosecution costs and a £30 victim surcharge. The court heard she subsequently lost her job.
As a preventative measure employers are advised to:
- Make employees aware that a criminal proceeding could be instigated if personal data is misappropriated by them
- Monitor an employee’s actions on electronic systems following notice of termination of employment, and review any unusual activity such as accessing large amounts of client contact details or other sensitive information
- Warn former employees and their new employers that matters may be reported to the Information Commissioners Office where the unlawful activity is suspected. A new employer can jointly be held criminally liable in certain scenarios.