Data protection breaches by employees
'In order to ensure that you and your organisation are beyond reproach, steps should be taken to educate and inform all employees on the obligations contained in the DPA'
Data protection breaches aren’t uncommon in certain sectors, particularly in local government and NHS trusts. However, there have been a number of recent incidents reported which have shone the spotlight on professional services organisations and registered professions.
All professional services employers will hold untold amount of data, relating to their employees, clients and third parties. How this data is managed, stored and disposed of is critical and a failure to comply with the stringent Data Protection Act (DPA) principles can cause not only a headache for an organisation, but significant fines or even a jail term.
Two recent examples have focused on the legal profession, but provide learning points for us all:
A solicitor working in house for a local authority in relation to a number of sensitive child protection cases took documents, including medical records of clients, home with him to continue working on them, but lost them on the way home. The documents were handed in by a member of the public. The Information Commissioner has ordered the Council to carry out further data protection training and the solicitor in question has been disciplined.
In another widely publicised incident, a paralegal was prosecuted for breaching the DPA by taking sensitive information about clients with him when moving jobs. He had taken several document templates with him which still contained information about clients. The paralegal is unlikely to be alone in doing so, as many employees will be unaware of the risks and consequences of a breach, or even have little care at the end of the employment relationship.
WHAT ARE THE RISKS?
These incidents raise a number of concerns for employers:
- Reputational damage. Clients are likely to lose confidence in your organisation if they hear that your employees have been disciplined or even prosecuted for data protection breaches. Prospective clients will become familiar with your brand for all the wrong reasons.
- Risk of employees being struck off by disciplinary bodies. Your organisation risks losing skilled staff and having to incur recruitment costs to replace an employee who has been struck off by a regulatory body for data protection breaches.
In order to ensure that you and your organisation are beyond reproach, steps should be taken to educate and inform all employees on the obligations contained in the DPA, including formulating a policy on data protection whilst working remotely. For further information, please contact Kevin Poulter.
19 Jan 2015