Section 170 of the Data Protection Act 2018 makes it a criminal offence for a person to knowingly or recklessly:
(a) obtain or disclose personal data without the consent of the controller,
(b) procure the disclosure of personal data to another person without the consent of the controller, or
(c) after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained.
Section 170 is similar to the offence under section 55 of the old Data Protection Act 1998 which was often used to prosecute employees who had accessed healthcare and financial records without a legitimate reason. Two recent prosecutions highlight the willingness of the Information Commissioner’s Office (ICO) to use section 170 to make examples of individuals who seek to access/steal data from their employers for personal gain.
In January, Asif Iqbal Khan pleaded guilty to stealing data of accident victims whilst working as a Customer Solutions Specialist for the RAC. Over a single month in 2019, the RAC had received 21 complaints from suspicious drivers who received calls from claims management companies following accidents in which the RAC had assisted.
A review of individuals that had accessed these claims found that Mr Khan was the only employee to access all 21. An internal investigation later reported suspicious behaviour from Mr Khan including taking photos of his computer screen with his phone. A search warrant, executed by the ICO, seized two phones from Mr Khan and a customer receipt for £12,000. The phones contained photos of data relating to over 100 accidents.
Khan appeared at Dudley Magistrates Court in January 2023 where he pleaded guilty to two counts of stealing data in breach of Section 170 of the DPA 2018. He was fined £5,000 and ordered to pay a victim surcharge as well as court costs.
This is the second recent prosecution under Section 170. In August last year, Christopher O’Brien, a former health adviser at the South Warwickshire NHS Foundation Trust pleaded guilty to accessing medical records of patients without a valid legal reason.
An ICO investigation found that he unlawfully accessed the records of 14 patients, who were known personally to him, between June and December 2019. One of the victims said the breach left them worried and anxious about O’Brien having access to their health records, with another victim saying it put them off going to their doctor. O’Brien was ordered to pay £250 compensation to 12 patients, totalling £3,000.
Of course a S.170 prosecution would have a much greater deterrent effect if the available sanctions included a custodial sentence. Successive Information Commissioners have argued for this but to no avail. This has led to some cases being prosecuted under section 1 of the Computer Misuse Act 1990 which carries tougher sentences including a maximum of 2 years imprisonment on indictment. In July last year, a woman who worked for Cheshire Police pleaded guilty to using the police data systems to check up on ex-partners and in August, the ICO commenced criminal proceedings against eight individuals over the alleged unlawful accessing and obtaining of customers’ personal data from vehicle repair garages to generate potential leads for personal injury claims.
If a disgruntled or rogue employee commits an offence under section 170, might their employer also be liable for the consequences?
In 2020, the Supreme Court ruled that as an employer, Morrisons Supermarket could not be held responsible when an employee, Andrew Skelton, uploaded a file containing the payroll data of thousands of Morrisons employees to a publicly accessible website as well as leaking it to several newspapers. The court decided that, whatever Skelton was doing when he disclosed his colleagues’ personal data, he was not acting “in the course of his employment”, and accordingly no vicarious liability could be imposed under the old Data Protection Act 1998.
However, Morrisons lost on the argument that the DPA 1998 operated so as to exclude vicarious liability completely. This principle can also be applied to the GDPR and so employers can “never say never” when it comes to vicariously liability for malicious data breaches by staff. It all depends on the facts of the breach.
This case only went as far as it did because the Morrisons employees failed to show, at first instance, that Morrisons was primarily liable for the data breach. If an employer fails to comply with its security obligations in a manner that is causally relevant to a rogue employee’s actions, it can still be exposed to primary liability under Article 32 of GDPR as well as the 6th Data Protection Principle which both impose obligations to ensure the security of personal data.