Employees warned against holding on to sensitive data when quitting a job

ICO says it will take a tough stance against those found in breach of Data Protection Act 2018

Image of a worker inserting or removing a USB drive from a laptop

The Information Commissioner's Office (ICO) has sounded a warning to employees who deliberately retain "historical personal data" after moving on from their positions.

Under the Data Protection Act 2018, which closely mirrors the EU's General Data Protection Regulations (GDPR), workers who "knowingly or recklessly" hold onto personal data may face regulatory action.

Advertisement - Article continues below

Although general in scope, this reminder concerns individuals whose roles involve gathering and handling personal data belonging to clients, customers, or others, either electronically or in paper form. Violations would occur when workers make unnecessary copies of personal data after collection, as well as when they leave their positions and keep this information.

The warning comes after the UK's data watchdog decided, following legal consultation, not to take enforcement action against two police officers who had been interviewed by the media about a historic case they'd worked on involving an MP.

The two Met Police officers were investigated by the ICO under the previous legislation, the Data Protection Act 1998, after disclosing details about the case to the media. This was adjudicated under the previous legislation because the initial violation occurred prior to the GDPR coming into force on 25 May 2018.

The older act was updated to add in a tougher provision that made it unlawful to "knowingly or recklessly" hold onto personal data without the consent of whoever was the data controller at the moment the data was collected.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

After legal consultation, the regulator decided not to take enforcement action, but warned that fresh provisions under the Data Protection Act 2018 mean that employees can face regulatory action if they were found to have retained information collected as part of their employment.

There are exceptions to this, however, which principally involve retaining personal data in instances where it's necessary to prevent crime, authorised by a court order, or in the public interest.

Although the ICO decided not to proceed with regulatory action against the police officers in this instance, the regulator has indeed taken action in similar cases through the years against instances of employees misusing personal data.

For example, the regulator prosecuted a charity worker in 2017 for making his own copies of sensitive data and emailed them to his personal email address without knowledge of the data controller, Rochdale Connections Trust.

The worker sent 11 emails from his work email account in February 2017 which contained sensitive personal information of 183 people, including three children.

Advertisement - Article continues below

An education worker, meanwhile, was fined 850 and ordered by pay 713 in costs last year after illegally sharing personal data about children and their parents.

The former Southwark Council schools admission department apprentice was found guilty of screenshotting a spreadsheet containing information about children and their eligibility for free school meals before sending it to a parent via Snapchat.

Featured Resources

Successful digital transformations are future ready - now

Research findings identify key ingredients to complete your transformation journey

Download now

Cyber security for accountants

3 ways to protect yourself and your clients online

Download now

The future of database administrators in the era of the autonomous database

Autonomous databases are here. So who needs database administrators anymore?

Download now

The IT expert’s guide to AI and content management

Your guide to the biggest opportunities for IT teams when it comes to AI and content management

Download now
Advertisement

Recommended

Visit/policy-legislation/data-protection/355250/health-sites-sharing-users-medical-data-with-major-tech
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020
Visit/policy-legislation/data-protection/355184/supreme-court-finds-morrisons-was-not-liable-for-2014
data protection

Supreme Court rules Morrisons was not liable for 2014 data breach

1 Apr 2020
Visit/security/privacy/355048/government-may-trace-covid-19-patients-using-mobile-phone-data
privacy

UK government may trace COVID-19 patients using mobile phone data

20 Mar 2020
Visit/policy-legislation/general-data-protection-regulation-gdpr/354842/irish-data-regulator-racks-up
General Data Protection Regulation (GDPR)

Irish data regulator racks up GDPR cases against Big Tech

24 Feb 2020

Most Popular

Visit/mobile/mobile-phones/355239/microsofts-patent-design-reveals-a-mobile-device-with-a-third-screen
Mobile Phones

Microsoft patents a mobile device with a third screen

6 Apr 2020
Visit/security/cyber-security/355271/microsoft-gobbles-up-corpcom-domain-to-keep-it-from-hackers
cyber security

Microsoft gobbles up corp.com domain to keep it from hackers

8 Apr 2020
Visit/software/video-conferencing/355257/taiwan-first-country-to-ban-zoom-amid-security-concerns
video conferencing

Taiwan becomes first country to ban Zoom amid security concerns

8 Apr 2020