2 Mar 2017

When faced with a departing employee, a key concern for all employers is that the employee will take valuable and confidential business information in order to use or (perhaps more accurately) misuse it in their next role.

When faced with a departing employee, a key concern for all employers is that the employee will take valuable and confidential business information in order to use or (perhaps more accurately) misuse it in their next role.

Preventing and managing the potential misuse of such information can be challenging for businesses. The usual and more well known recourse is to sue, or at least threaten to sue, an employee for breach of confidentiality provisions and/or restrictive covenants which have (hopefully) been included in their employment contract. Although this is the right approach in some cases, and employers should always draft contracts to give themselves this option, it can ultimately be an expensive process. Employers, therefore, may be pleased to hear that the Information Commissioner’s Office (ICO) has shown that it is prepared to use its teeth, and bring criminal proceedings against departing employees for unlawfully obtaining and using personal data. This could prove to be a salutary, and effective, deterrent for employees who are considering taking data with them when they leave.

In recent weeks the ICO has reported that it has exercised its powers to convict an employee, who moved from one business to join a competitor, for data theft. Rebecca Gray was a recruitment consultant and joined a rival recruitment agency. She took the (not unusual) step of emailing her own personal email account with the contact details of approximately 100 existing and potential clients. She then used this data to contact the individuals when in her new job. This is a common set of facts in the industry. Not so common, however, was the outcome. The ICO brought criminal proceedings against her under the Data Protection Act 1998 for unlawfully obtaining personal data; the wronged party being the former employer (as the data controller). The problem for Ms Gray was that, while those clients may have consented to providing their personal data to her old recruitment agency, they had not given permission for her to download it and take it to be used by another agency, or for any other purpose.

The financial consequences were minimal for Ms Gray, following her guilty plea: a fine of £200, an order to pay £214 prosecution costs and a £30 victim surcharge. Inconsequential compared to gaining a criminal record, as well as losing her new job, and potentially devastating her prospects for future employment in her chosen career.

It is not clear whether Ms Gray had good confidentiality provisions or restrictive covenants in her employment contract, but they are relatively standard in recruitment industry contracts. If so, another option would have been for her ex-employer to engage lawyers and threaten to bring a High Court claim, if she and her new employer didn’t agree to return and then permanently delete all copies of the information. A good lawyer’s letter, and some robust negotiations, often has the desired effect. However, if the ex employee and new employer call your bluff, the resulting legal proceedings can take up a large amount of management time and can be very expensive. In this context it will be useful, tactically, to have another angle with which to potentially threaten an employee who has taken client data.

Although it is the ICO that brings such criminal proceedings, the wronged ex-employer would need to have informed the ICO of a data breach. Further, there may be an obligation on employers to report any misconduct to other regulatory bodies (such as the Financial Conduct Authority). Historically there has been reluctance by employers to bring a criminal complaint against their former employees, even in the most flagrant cases. At the very least, however, the knowledge that criminal prosecution is a potential avenue which employers can pursue for data theft by former employees is a powerful armoury. Employers therefore can and should be communicating this to employees.

Key takeaways for employers:

The decision serves as an important reminder to businesses (whether as the wronged party or the new employer) that criminal action for data theft is a potential avenue for retribution by the wronged party.

  • Tread with caution: Employers should be vigilant when recruiting new hires who claim to be able to bring client lists, or other confidential business information which could contain personal data, across with them. All businesses have a duty to ensure that they are not breaching data laws, and there is a real risk that the ICO could target a new employer (alongside the relevant employee) if they are aware such information probably belongs to the former employer and then processes that data.
  • Employment contracts: Your contracts should include well-drafted confidentiality provisions and restrictive covenants – as an employer, the more angles you can approach the issue from the better. If you don’t have good restrictions in your employment contracts, you won’t even be able to make the argument that the employee is breaching their contractual obligations. This will leave you exposed and in a weak negotiating position.
  • Policies: Employers should ensure that any internal policies relating to confidential information, data protection and information usage are clear about any obligations or requirements, include any potential sanctions for non-compliance and have been properly communicated to all staff.
  • A culture of awareness: Employers should take steps to ensure that employees are aware of their obligations and the potential ramifications of breaching both their employment contracts and the data protection legislation. This may include staff training to ensure employees understand their legal obligations around data usage and the sanctions for breach.
  • Employment termination: The company leaver process, as well as related documents (such as the employment contract and/or staff handbook) and communications, should include a duty to return and/or (where necessary) destroy all confidential information.

To find out more, please get in touch with Razia Begum, or sign up for email updates here.