7 Nov 2016

Employers beware: following a recent ruling, if you unlawfully access, use and disclose an employees’ personal information you risk prosecution in the civil courts.

Employers beware: following a recent ruling, if you unlawfully access, use and disclose an employees’ personal information you risk prosecution in the civil courts. In a recent case where the Metropolitan Police accessed personal information unlawfully, they were found to be in breach of both the Data Protection Act 1998 (DPA) and the right to privacy under Article 8 of the Human Rights Act 1998 (HRA).

The Brown Vs Commissioner of Police for the Metropolis case means that not complying with data protection rules will not only attract the enforcement powers of the Information Commissioner’s Office (ICO) but could also result in civil court action and pay-outs as well as significant legal costs and potential bad publicity for your brand and company. Looking at the case in more depth, there is a small mercy – if we’re stretching it – for employers in that the courts confirmed that there is no minimum level of pay out for these types of workplace privacy claims.

Overview of the case: unlawful use and disclosure of personal information

In the Brown case, the employer – the Metropolitan Police – had unlawfully gathered information about a former police officer’s travel arrangements to Barbados whilst she was on sick-leave. Fictitious legislation was quoted to obtain her travel details from a commercial airline and they also contacted the National Border Targeting Centre for further travel information. This led to the Met also obtaining information on the employee’s daughter who was under the age of 18 and also travelled on the trip. In doing this, the Met was found to have breached the first principle of the DPA – to process information lawfully and fairly, and to have also interfered with the officer’s right to privacy under the HRA.

In gathering the travel information, the Met had intended to use it to formally discipline the employee for failing to let her line-manager know of the travel arrangements whilst she was on sick-leave. It was the way in which it was gathered that was unlawful.

Two wrongs certainly didn’t make a right in this case.

Interestingly the Met conceded that they were at fault. As an employer, the key learning from this is that obtaining personal information of employees without their consent or through illegitimate means, even if it is for an internal disciplinary matter, could lead to civil court action.

Key outtakes

Inextricable link between the DPA and HRA

  • The DPA is not a stand-alone piece of legislation.
  • Breaching its principles by employers can trigger breach of the HRA, including the right to privacy under Article 8 as was the case here.
  • This link adds gravitas to an employee’s claim should they argue that their personal information has been unlawfully obtained.

No minimum level of compensation

  • This particular workplace privacy claim was distinguished from hacking claims, which carry a minimum £10,000 award.
  • Hacking involves the disclosure of highly confidential information for gain, widespread distribution or with the intention to harm or embarrass the victim in question – unlike in this case.
  • Those aggravating factors that give rise to a minimum level of compensation, do not apply to workplace privacy claims.

Legal risks v. brand reputation

  • It is important to acknowledge the impact of media scrutiny and its effect on brand reputation.
  • Often the impact of this can be more significant than the legal risks or awards/fines issued.
  • Here the Met, as a public employer attracted national media attention but we’ve also seen the reputational impact on larger, well known private sector employers recently also, such as, Morrisons and TalkTalk data breaches.

What this means for you

As an employer, be mindful of your compliance obligations under the DPA and the implications of unlawfully, even if for genuine purposes, seeking to dig out the personal data of your employees.

The officers involved in this case showed, according to the judgment, a “troubling lack of insight … or indeed any understanding that they or their force had done anything wrong in ‘data protection’ terms”. This shows how important it is to promote staff awareness, provide proactive compliance training to your workforce and equip staff with enough information to be able to make reasoned decisions as to how to handle personal information.

Non-compliance with the DPA is not an attractive option, as shown in this case. Along with legal action it can also attract brand damaging headlines, such as, the “Met Police breached data protection laws to spy on own officer” or “Sutton police “spied” on detective…to dig up dirt”., which can ultimately have reputational and financial consequences.

For more information, please contact Razia Begum on +44 (0)20 7382 8025.

Razia is a senior associate in the employment team. She specialises in providing commercial and practical advice to clients on employment and data protection legislation.