In a foreshadowing of the implementation of the General Data Protection Regulation (‘GDPR’) next year, the Information Commissioner’s Office (‘ICO’) has taken the decision to fine an employee for unauthorised disclosure of personal information.
The employee concerned was a recruitment manager of a data controller company. He emailed 26 CVs of job applicants to a third party company, without consent of his employer or the individuals concerned. There was no other business need or any other lawful purpose to justify this.
The disclosure was discovered when some candidates were found to have submitted two CVs. One from the company, and one individually.
The employee was prosecuted for knowingly or recklessly disclosing personal information and pleaded guilty. He was fined £573, ordered to pay £364 prosecution costs and £57 victim surcharge.
This decision illustrates the potential liability for individuals as well as businesses in failing to comply with Data Protection obligations. It also paves the way for stricter compliance with data protection regulations through the new GDPR which comes into force in May 2018.
Fines from May next year will potentially be far larger, with a greater burden on employer to proactively show that they are compliant with GDPR. Failure to comply with the requirements of the GDPR can result in fines of up to 20 million euros, or 4% of annual turnover of a business, whichever is greater.
If you would like further information on GDPR and its impact on your business, please contact Katherine Cooke. We will also be organising a GDPR seminar focusing on the HR aspects on 14 November 2017.