Charity employee prosecuted for making own copies of sensitive personal data

Image: © Pixaby

People working with personal information have been warned they have to obey strict data privacy laws after a charity worker was prosecuted for making his own copies of sensitive personal data.

Robert Morrisey, 63, sent spreadsheets containing the information of vulnerable clients to his personal email address without the knowledge of his employer, and data controller, the Rochdale Connections Trust.

He sent 11 emails from his work email account on 22 February 2017, which contained the sensitive personal data of 183 people, three of whom were children. The personal data included full names, dates of birth, telephone numbers and medical information. 

Further investigation showed that he had sent a similar database to his personal e-mail account on 14 June 2016.

Morrisey, of Milnrow, Rochdale, appeared at Preston Crown Court and admitted unlawfully obtaining personal data in breach of Section 55 of the Data Protection Act 1998. 

He was given a conditional discharge for two years and was also ordered to pay prosecution costs of £1,845.25, as well as a victim surcharge of £15.

Rochdale Connections Trust declined to comment on the case.

The Information Commissioner’s Office, which bought the prosecution, has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003. 

This includes criminal prosecution, non-criminal enforcement and audit, and the power to impose a monetary penalty on a data controller of up to £500,0000.  

This power to levy fines and civil penalties will rise under the new GDPR in May 2018 to up to 4% of annual global turnover or €20 Million (whichever is greater) for the most serious breaches.  

Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

  • fairly and lawfully processed;
  • processed for limited purposes;
  • adequate, relevant and not excessive;
  • accurate and up to date;
  • not kept for longer than is necessary;
  • processed in line with your rights;
  • secure; and
  • not transferred to other countries without adequate protection.

These data protection principles will become even more important when the GDPR comes into force, when organisations will need to be able to demonstrate compliance through ‘privacy by design’.

Those policies must be understood and adhered to by employees and applied consistently by the employer to instill a culture of appropriate and lawful behaviour across its entire workforce.