What you need to know about data protection when an employee leaves | Legal Thinking Podcast
This podcast transcript has been edited in places for readability. You can also listen to our podcast on your podcast platform of choice - find it here >
This week we’ve got Carl Selby on who's a partner in our Tech sector. He came on to explain how employees who are leaving and take data are actually not only annoying their employer and doing something perhaps against their employment contract and breaching confidentiality, they're also breaching data protection law and could even be criminally liable, so even beyond the purview of our law firm.
So, Carl, thanks for joining us. Obviously in different episodes on this series, Liam and I have talked to various members of the employment team about confidential information and how that can be taken to competitors and all that stuff and how to protect people, but today we're going to talk very specifically about data protection in light of confidential information and it going to new companies. So I guess the first question I have for you, as always, when it comes to data protection, is a question about the GDPR.
What are the implications of a data breach involving confidential information with regards to the GDPR, and what legal obligations employers have about protecting that information?
Yeah, so when it comes to personal data, by which we mean any data that relates to a living individual (so if you deal with dead people you don't need to worry about it).
But if they're alive then you've obviously got obligations as the data controller – which most employers would be with regard to the information they've got about customers, particularly if they're consumer customers, but even if they are corporate customers and you're talking about contacts at those corporate customers – to protect that information and stop it from being unlawfully processed, which would include it being taken elsewhere or being lost from your own system.
So if an employee decides that they want to take that data to a new employer without consent, then that's a data breach, and if they deleted information from the employer's systems as they were exiting, that two would be a data breach, although they may well be linked.
So for the controller, so the employer in those circumstances, there's two main consequences:
The ICO, Information Commissioner, could look to obviously investigate and if they decided that there had been a data breach, they've got the power to levy fines of up to £17.5 million or 4% of worldwide turnover, whichever is the higher. So obviously that's potentially quite a significant fine. You might have heard recently sort of TikTok have been fined £12.7 million for failing to deal with children who access their platform properly. So avoiding getting parental consent.
And the level of fines can be very significant. Obviously for most employers hopefully the level of data breach wouldn't be that significant but there's still a potential for a big fine.
The individual data subjects concerned may have a right to take direct action if they've suffered a loss as a result of their personal data having been removed, and, of course, the big one really is the loss of reputation that you'd suffer, not only amongst, well, the other employees internally, but also possibly in the wider world if it got into the press and you became known as not having very stringent personal data protection mechanisms which could impact on your ability to do business with people going forward and in certain sectors.
You know, it may be something that comes up when you are trying to get new contracts and there's questions that come out about your data security. We're certainly seeing more and more of that when we're helping clients either tender for contracts or if they are seeking to get contracts from, in particular, larger businesses, they're starting to focus much more on what your record is on data breaches and data security because there's a knock-on potential impact for them if the data relates to them or data subjects that they have shared with you or you're processing on their behalf. So that can affect your ability to get contracts going forwards.
There's also liability for the employee, which often gets lost in these discussions, which is, for a start, they can be personally liable to the employer because they have, I would imagine, failed to adhere to the company's policies, there aren't many companies that I know that let their employees freely take data, in particular personal data, as they exit but there is also potential criminal liability under section 170 of the Data Protection Act which incorporates UK GDPR as well. If you knowingly or recklessly obtain, disclose or procure personal data without the consent of the data controller, or offer or sell that personal data, again, without consent, then you have committed a criminal offence and there obviously can be criminal penalties attached to that. I haven't known any recent prosecutions of that but there was one under the previous legislation on very similar provisions back in about 2016 where someone was prosecuted for having left their employer, taken their whole customer list with them to a competitor and just started phoning their old contacts. Yeah. Well, I think it was even ...it was just phoning them but they'd done all that without any consent from anyone. And got found out and yeah, the police got involved and so there is potential for fairly serious consequences for both employee and employer.
And, of course, if you're an employee and you, say, got in the press as well for having done this, then future employers are going to be probably, if they get wind of it, they're going to be far less likely to take you on because they're not going to trust you to look after personal data or other confidential information that the company might have once they know that you've done this previously.
So just to bring it back to the employment angle of that, the legal action that employers can take would obviously be kind of determined by what contracts they have in place with regards to policy.
Like you said, it's not often a company wouldn't have a policy in place about taking data away from the company. Is that right? And what would they be open to doing? Would they be suing for damage to reputation, suing for loss of whatever or what? How would that work?
Well, I'm sure that it’s probably better to talk to the employment team, if I'm honest, but most employment contracts would say that you've got to comply with the company policies. If you've got a data protection policy, I'm sure one of the points in it, certainly, if we drafted it, it would have it in, would be you cannot take personal data without the consent of the employer.
So they would sue you for breach of that provision in your employment contract. Obviously, if it was whilst you were employed and you weren't exiting, then you've potentially got the possibility of it being misconduct of some form or gross misconduct and therefore obviously losing your job if it's proved against you. So there's, again, quite serious personal consequences and it's for both parties involved, they're both employer and employee where there could be issues going forwards from a legal point of view.
Yeah, and, I mean, you've kind of talked a little bit about kind of the cover that businesses can take to protect against data breaches and we've kind of talked about different things on other episodes of this series, but can you talk maybe from a tech perspective about what options and practices companies can kind of put in place to ensure that these kind of breaches don't happen?
Are there any examples you can give of what kind of maybe sophisticated processes that companies do, or anything that's maybe not even sophisticated and really easy for a smaller business to do?
Yeah. Well, in terms of protecting personal data as the employer, it’s the organisation data controller that has the obligation to do so; under UK GDPR you've got to take appropriate technical and organisational measures to protect the personal data that you are processing and that does depend on a number of factors, but includes how sensitive that personal data is and the resources available to you as the controller to protect it.
So there is an element of proportionality here. If you are the NHS and you're dealing with all NHS patient records and you've got government funding behind you then you're expected to do much more than if you were a small consultancy business that offers support on, I don’t know, a retail process and marketing.
Yeah, like an e-commerce consultant or something like that maybe.
Yes, exactly. So, yeah, if you're a small e-commerce consultant and you are handling some personal data as part of that work, then you wouldn't be able to take, or wouldn't be expected to take, as great a set of precautions against loss of that personal data than you would be if you were the NHS.
And obviously there's a lot of grey in between those two extreme examples, but, in practical terms, there's also a balance that employers would have to strike between how easy they want it for their employees to be able to access and use the personal data in the course of their normal business, and how stringent the technological measures are to try and lock that down to prevent a data breach. So, there obviously has to be a balance and there's an element of you've got to trust employees not to do this kind of thing rather than locking down every system so it's impossible to do so, but just a few very high level tips that you ought to think about:
First of all, making sure that only people who need certain levels of permission have them. So it might be that you've got your sort of administrator level person who can do a lot more than your, say, normal ...let's take a sales team. You might have the head of that team who's got the ability to make lots of changes to a CRM system, say, which is logging data about customers, but the people who are actually using that CRM system on a day to day basis to facilitate sales activity wouldn't have the ability to, say, export that data or delete it so that you know that they can't just put a USB drive in their computer or whatever and download a copy of that data, but they can still access it, they can still use it for the purposes that they need to, to be able to do their job.
So when you're looking at individual roles, you should try and work out as far as is possible what permissions people need, at what level of the organisation to be able to do their job properly and give them no greater access than that, and then also look at systems that would, as I say, lock down certain abilities to export information. That can be a bit tricky because if you stop people, for instance, being able to attach things to emails so that they can't email themselves a spreadsheet, well, yeah, that's great, that stops that particular problem but people need to attach things to emails all the time and it's almost impossible to have a system that prevents only certain things from doing it, being exported or sent via email.
There are more and more sophisticated systems becoming available where you can scan in the background to try and identify where certain information is leaving the organisation. The most classic example is like credit card details. There's software that you can buy nowadays which will scan emails as they're being sent out for credit card or bank account details so that they don't leave organisations if that's something organisations need to do to protect themselves, and the other thing is keeping audit trails of what has happened so that, if you become aware that someone has done this, you can quickly assess the scale of the impact of what they've taken, what the ongoing use of that data might be with them and take effective and quick action to stop that because if something does go wrong and someone does take information without consent, then the employer has got a quite onerous obligation really to review that quickly, understand as far as is possible what the impact of that is on the data subject. So is it a serious thing that they need to be told about so that they can take steps personally to stop any further harm to them, the most obvious one would be if you had an e-commerce site and for some reason it had open access to credit card details for customers and an employer became aware that someone had taken those credit card numbers, well it's obviously very important then to tell the data subjects that their credit card number has been compromised so that they can cancel the card and stop other people using it fraudulently.
So it all needs to be assessed on a risk basis to understand what it is, but then take measures to do that to the extent that it's sensible and possible to do that and you've got to weigh the risk of what might happen against the practicality of implementing that measure and how difficult that's going to make it for people to do their job.
As much as there are those technological things that you can do, there are also practical things that you can do to try and minimise the risk associated with the data breach, and that's for two reasons, obviously, to make sure they don't happen in the first place as far as is possible, but also if an ICO investigation is needed as a result of something that does happen, to create that audit trail that you have done as the employer, what you can to make sure that you're complying with UK GDPR. So you need to have good policies and procedures in place and you need to follow those policies.
All too often people come up with a policy and then it turns out in practice they don't do what the policy is saying and the ICO are going to look slightly dimly on that on the basis that what's the point of having a policy if you don't bother enforcing it?
But the other thing to do is make sure you are having regular training with your staff to make sure they understand their data protection obligations, what it means for the organisation, but also what it means to them personally and that they can't simply treat that data as something that could be copied and taken somewhere else, and, if you can hammer home that message, you might discourage a few people who might otherwise have been tempted because they were ignorant of what the potential issue was from doing it in the first place.
Obviously, if someone is determined to do that – and sometimes we see it where they're doing it out of spite because they feel they've been treated badly by the employer and they're taking personal data to make threats of, “We're holding this”. We need to get it back a bit like a hacker would do where they put ransomware in and hold you to ransom. The only problem for those employees is it's much easier to catch people when you know who they are than if you're a ransomware attacker the whole thing is anonymity, but you still ...we've certainly had cases in the office that I'm aware of where people have deliberately taken personal data to basically say to the employer, “Well, look what I've done. I've got this. Now, you've committed a data breach”. Well, great, but you've also got yourself in a lot of trouble at the same time.
And then there are systems as well that will help with breach detection. So you might be able to have flags that say we are aware that there's unusual activity on a user account because they have done certain things. They might have downloaded a large amount of data from a shared document folder, or they might have, as I said earlier, emailed themselves, and the sooner you are aware of the breach, the more you can do to stop it. So, for instance, you might be able to get an injunction to prevent that employee who's taking the information from using it further to further enhance the risks to them from doing that and create greater criminal liability on their part if they continue to ignore that injunction.
So many ...hopefully that's enough examples of ...
Yeah, yeah. No, that's plenty.
Now, in the unfortunate event that a data breach does occur, of this sort where an employee leaves and takes a load of data with them, what should an employer be doing in the first instance?
Yeah, sure. So, first of all, they need to act quickly. It's not something that an employer can sit on if they become aware that this has happened. They've essentially got to review what data has been taken, what data subjects have been affected, and what the impact is on those data subjects, and then make a decision as to what they they're going to do next, because if it is a serious breach and there is a high risk to data subjects’ rights and freedoms, the credit card example I used earlier being an obvious example of something that's high risk, the data controller, so the employer in this case, would have 72 hours from becoming aware of the data breach to report that incident to the ICO and, if they fail to do that, then that in itself is a further data breach. So you've got to act quickly, but you also need to take steps, if at all possible, to stop any ongoing breach.
So it might be, as I said, you need to try and get in contact with the person who's stolen it and try and get them to return the data or give you undertakings that they haven't or won't use that data in any way that's not permitted going forwards or, even in an extreme example, if they refuse to do that, go to court to get an injunction to prevent them from doing it, but, there's lots of complexities in that situation, it's very fluid.
So I think the first thing that any employer in that situation should do is get advice. We have a specialist team here who can deal with data breaches and help them through that process, but also they ought to contact their insurers because if you've got cyber insurance or something similar that may well cover you in the event of a data breach, because the costs of dealing with these things could be quite high and the losses to individuals can also be quite high and the insurers will have views on how these matters should be handled to protect their interests but also to protect the company involved.
So, yeah, check your insurance and make sure if you do need to notify your assurers, you are doing so promptly so they can't turn around later and say, “We're not covering the claim because you didn't tell us in time”.
I was just thinking, you mentioned about the fact that we're obviously now in UK GDPR, as opposed to GDPR following Brexit. And I just wonder are there any further changes that are on the horizon down the line with regards to data protection law? Because I know the government's wanting to look at making data protection law maybe less onerous on businesses and things like that.
So is there anything that might impact upon this particular area of data protection at all?
I suspect they're not going to water down too much the principles that mean if you lose personal data or someone takes it that there's less liability for them on it. It’s more ...the reforms are more about opening up the possibility, for instance, of using data sets with personal data to train AI and things like that.
I suspect the government certainly hasn't got this at the forefront of its mind at the moment, they've got enough issues to deal with outside of this, but they have made noises about making it less onerous, or data protection law less onerous generally, and making it easier for organisations to comply, or less burdensome to apply, but I think the problem they're going to face with that is, as you mentioned, it is now UK GDPR which is basically a mirror image of what the EU's GDPR regulations are at this point in time and, if they diverge from that too much, there is a real risk that the EU will look again at the UK's adequacy decision, which basically at the moment allows free data flows between the EU and the UK of personal data because the UK is deemed to have basically the same levels of protection that the EU does, and the moment that the government tries to water down any of those provisions there's a risk that the EU will cut off the tap and say, “You no longer have adequate protections in place”, and that'll be a real headache for an awful lot of businesses that at the moment have got that flow of information. And that might be, if you were looking at that rationally as the government, you might say, “Well we've got various economic challenges at the moment, this is not another one we need to add into the mix”, but I wouldn't like to predict what the government will do in the run up to an election at probably the end of next year.
I was about to say, well, hopefully they'll continue to think rationally, but I don't think that applies really.
I'm trying to be optimistic here. I can't just get involved in doom and gloom all the time.
No, no, no, absolutely. Well, yeah, I guess all I've got left to say now is thanks very much for your time, Carl. Thank you for listening to Legal Thinking and thank you to our guests for joining us on today's podcast. If you want to find out more about the topic that was discussed today, make sure to have a look in the show notes where we'll have linked everything up.