Tag: prosecution

Former Council Chief Executive Prosecuted under Section 77 FOI 

Section 77 of the Freedom of Information Act 2000 (FOI) makes it a criminal offence for a person to do anything with the intention of preventing the disclosure of information pursuant to an FOI request. The offence can be committed by any public authority and any person who is employed by, is an officer of, or is subject to the direction of a public authority. Regulation 19 of the Environmental Information Regulations 2004 creates an identical offence, albeit with slightly different provisions governing government departments. 

Last week the trial begun of the former Chief Executive of Mid and East Antrim Borough Council who has been charged with three offences relating to records kept by the council. Anne Donaghy faces three charges under section 77 FOI namely; altering a record to prevent disclosure, attempting to alter records, aiding and abetting the alteration of a record. Ms Donaghy denies the allegations and is contesting the charges. 

A BBC Spotlight programme previously reported that the charges were connected to alleged attempts to delete correspondence relating to the decision to withdraw council staff operating under the post-Brexit trade conditions known as the Northern Ireland Protocol. The staff, who were carrying out checks on goods arriving from Great Britain, were removed because of apparent threats from loyalist paramilitaries. 
It later emerged Ms Donaghy, who was chief executive at the time, had written to the Cabinet Office before the decision to remove staff was taken. She told the UK government graffiti had been directly targeting council staff working on checks. 
The then Agriculture Minister, Edwin Poots, subsequently withdrew inspectors performing the checks at ports in Northern Ireland. However, shortly after, all staff had returned to duties. The Police Service of Northern Ireland (PSNI) issued a threat assessment stating it had no information to support claims of loyalist paramilitaries threatening staff safety. 

Prosecutions under section 77 are extremely rare. The main reason for this is that there must be proof (‘beyond reasonable doubt’) of intent to destroy, conceal, deface etc. This may be difficult to do after the event.   

The only other section 77 prosecution was in March 2020. Nicola Young, a town clerk at Whitchurch Town Council, was fined £400 and ordered to pay £1,493 costs following a guilty plea. The facts of the case are that a person had made an FOI request to the Council for a copy of an audio recording of a council meeting. 
They believed that the written minutes of the meeting had been fabricated and so they wanted to listen to the recording of the meeting. Ms Young deliberately deleted the audio recording a few days later and then advised the requestor that the audio file had been deleted as part of the council’s destruction policy. 

This and other FOI developments will be discussed in our forthcoming FOI workshops . If you are looking for a qualification in freedom of information, our FOI Practitioner Certificate is ideal. 

Sales Consultant Prosecuted  

In June 2023, the Information Commissioner’s Office (ICO) disclosed that, since 1st June 2018, 92 cases involving S.170 offences (Data Protection Act 2018) were investigated by its Criminal Investigations Team. Section 170 makes it a criminal offence for a person to knowingly or recklessly: 

(a) obtain or disclose personal data without the consent of the controller, 

(b) procure the disclosure of personal data to another person without the consent of the controller, or 

(c) after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained. 

Rogue workers accessing and abusing personal data for their own gain is a real risk for organisations with vast customer databases that have commercial value. There have been a number of S.170 prosecutions by the ICO recently. The latest involves a sales consultant at a car leasing company. 

On 17th September 2024, Alexander Doré pleaded guilty to retaining and selling 3,600 pieces of customer records obtained from the car leasing company he worked for.
The information had been taken shortly before Doré resigned . He approached multiple competitor companies with this information, whilst claiming that it belonged to him. Doré was ordered to pay a fine of £1,200 and £300 costs. 

The Head of Investigations at the ICO, Andy Curry, said: 

“Customers put their trust in any number of organisations on a daily basis to use and store their data in a legal and appropriate way. Mr Doré took advantage of that trust, as well as the trust of his employers, by taking customer information that he then passed on to other companies, purely for his own financial gain. 

“It is with great thanks to Leaseline Vehicle Management Ltd that they brought Mr Doré’s wrongdoing to our attention, and we were able to investigate. 

“We hope this successful prosecution shows we will work with companies to bring those committing crimes to justice.” 

If a disgruntled or rogue employee commits an offence under section 170, might their employer also be liable for the consequences? The answer is in our recent blog which can be read here

Enjoy reading our blog? Help us reach 10,000 subscribers by subscribing today!

Data Protection Prosecutions and Employer Liability

Rogue workers accessing and abusing personal data for their own gain is a perennial issue for organisations with vast databases of personal data that may have commercial value. Section 170 of the Data Protection Act 2018 makes it a criminal offence for a person to knowingly or recklessly: 

(a) obtain or disclose personal data without the consent of the controller, 

(b) procure the disclosure of personal data to another person without the consent of the controller, or 

(c) after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained. 

In June 2023, the ICO disclosed that since 1st June 2018, 92 cases involving S.170 offences were investigated by its Criminal Investigations Team.  A recent prosecution involved a man who worked for Enterprise Rent-A-Car where he illegally accessed customers’ records. He was ordered to pay a fine of £265, along with costs of £450 and a victim surcharge of £32. S.170 is similar to the offence under section 55 of the old Data Protection Act 1998. S.55 can still be used to bring a prosecution where an offence pre-dates the current S.170 coming into force.  

In August, Jonathan Riches pleaded guilty under S.55 at Cardiff Crown Court. Mr. Riches, also a former employee of Enterprise Rent-A-Car, left the company in 2009 to establish his own personal injury firm. However, he remained in contact with former colleagues, through whom he illegally obtained details of individuals involved in road traffic accidents, then contacted them to offer legal services. At one point, Mr. Riches, through his accomplices, gained access to Enterprise’s internal database, allowing him to retrieve clients’ personal details. 

Previously, Mr. Riches had been ordered to pay Enterprise Rent-A-Car a £300,000 civil settlement. He was later interviewed by the ICO, which led to him being summoned to court in 2016. However, having relocated to the United States, he failed to appear, prompting a warrant for his arrest. He eventually returned to the UK and surrendered to authorities in 2024. 

Mr. Riches’s accomplices in the crimes had all been sentenced earlier. Judge Francis described Riches’s actions as part of a sophisticated and long-running scheme that involved a cynical breach of trust. He fined £10,000, plus £1,700 in costs.  

Of course prosecutions for mishandling personal data would have a much greater deterrent effect if the available sanctions included a custodial sentence. Successive Information Commissioners have argued for this but to no avail. This has led to some cases being prosecuted under section 1 of the Computer Misuse Act 1990 which carries tougher sentences including a maximum of 2 years imprisonment on indictment.  In July 2022, a woman who worked for Cheshire Police pleaded guilty to using the police data systems to check up on ex-partners and in August 2022, the ICO commenced criminal proceedings against eight individuals over the alleged unlawful accessing and obtaining of customers’ personal data from vehicle repair garages to generate potential leads for personal injury claims. 

Employer Liability 

If a disgruntled or rogue employee commits an offence under section 170, might their employer also be liable for the consequences? 

In 2020, the Supreme Court ruled that as an employer, Morrisons Supermarket could not be held responsible when an employee, Andrew Skelton, uploaded a file containing the payroll data of thousands of Morrisons employees to a publicly accessible website as well as leaking it to several newspapers. The court decided that, whatever Skelton was doing when he disclosed his colleagues’ personal data, he was not acting “in the course of his employment”, and accordingly no vicarious liability could be imposed under the old Data Protection Act 1998. 

However, Morrisons lost on the argument that the DPA 1998 operated so as to exclude vicarious liability completely. This principle can also be applied to the GDPR and so employers can “never say never” when it comes to vicariously liability for malicious data breaches by staff. It all depends on the facts of the breach. 

This case only went as far as it did because the Morrisons employees failed to show, at first instance, that Morrisons was primarily liable for the data breach. If an employer fails to comply with its security obligations in a manner that is causally relevant to a rogue employee’s actions, it can still be exposed to primary liability under Article 32 of GDPR as well as the 6th Data Protection Principle which both impose obligations to ensure the security of personal data. 

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update  workshop. 

Enjoy reading our blog? Help us reach 10,000 subscribers by subscribing today!

Rogue Employees and Personal Data

Section 170 of the Data Protection Act 2018 makes it a criminal offence for a person to knowingly or recklessly:

(a) obtain or disclose personal data without the consent of the controller,

(b) procure the disclosure of personal data to another person without the consent of the controller, or

(c) after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained.

Section 170 is similar to the offence under section 55 of the old Data Protection Act 1998 which was often used to prosecute employees who had accessed healthcare and financial records without a legitimate reason. Two recent prosecutions highlight the willingness of the Information Commissioner’s Office (ICO) to use section 170 to make examples of individuals who seek to access/steal data from their employers for personal gain. 

In January, Asif Iqbal Khan pleaded guilty to stealing data of accident victims whilst working as a Customer Solutions Specialist for the RAC. Over a single month in 2019, the RAC had received 21 complaints from suspicious drivers who received calls from claims management companies following accidents in which the RAC had assisted.

A review of individuals that had accessed these claims found that Mr Khan was the only employee to access all 21. An internal investigation later reported suspicious behaviour from Mr Khan including taking photos of his computer screen with his phone. A search warrant, executed by the ICO, seized two phones from Mr Khan and a customer receipt for £12,000. The phones contained photos of data relating to over 100 accidents.

Khan appeared at Dudley Magistrates Court in January 2023 where he pleaded guilty to two counts of stealing data in breach of Section 170 of the DPA 2018. He was fined £5,000 and ordered to pay a victim surcharge as well as court costs.

This is the second recent prosecution under Section 170. In August last year, Christopher O’Brien, a former health adviser at the South Warwickshire NHS Foundation Trust pleaded guilty to accessing medical records of patients without a valid legal reason.

An ICO investigation found that he unlawfully accessed the records of 14 patients, who were known personally to him, between June and December 2019. One of the victims said the breach left them worried and anxious about O’Brien having access to their health records, with another victim saying it put them off going to their doctor. O’Brien was ordered to pay £250 compensation to 12 patients, totalling £3,000.

Of course a S.170 prosecution would have a much greater deterrent effect if the available sanctions included a custodial sentence. Successive Information Commissioners have argued for this but to no avail. This has led to some cases being prosecuted under section 1 of the Computer Misuse Act 1990 which carries tougher sentences including a maximum of 2 years imprisonment on indictment.  In July last year, a woman who worked for Cheshire Police pleaded guilty to using the police data systems to check up on ex-partners and in August, the ICO commenced criminal proceedings against eight individuals over the alleged unlawful accessing and obtaining of customers’ personal data from vehicle repair garages to generate potential leads for personal injury claims.

Employer Liability

If a disgruntled or rogue employee commits an offence under section 170, might their employer also be liable for the consequences?

In 2020, the Supreme Court ruled that as an employer, Morrisons Supermarket could not be held responsible when an employee, Andrew Skelton, uploaded a file containing the payroll data of thousands of Morrisons employees to a publicly accessible website as well as leaking it to several newspapers. The court decided that, whatever Skelton was doing when he disclosed his colleagues’ personal data, he was not acting “in the course of his employment”, and accordingly no vicarious liability could be imposed under the old Data Protection Act 1998.

However, Morrisons lost on the argument that the DPA 1998 operated so as to exclude vicarious liability completely. This principle can also be applied to the GDPR and so employers can “never say never” when it comes to vicariously liability for malicious data breaches by staff. It all depends on the facts of the breach.

This case only went as far as it did because the Morrisons employees failed to show, at first instance, that Morrisons was primarily liable for the data breach. If an employer fails to comply with its security obligations in a manner that is causally relevant to a rogue employee’s actions, it can still be exposed to primary liability under Article 32 of GDPR as well as the 6th Data Protection Principle which both impose obligations to ensure the security of personal data.

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update  workshop. There are only 3 places left on our next Advanced Certificate in GDPR Practice.