To many people, sending work emails to their personal email address is a very convenient way to continue working away from the office. However, quite apart from the data security risks involved, doing so could be a criminal offence under data protection law.
The Data Protection Act (DPA) says that a person must not knowingly or recklessly obtain or disclose personal data. The law exists for a reason – people have rights over how their data is processed and it’s only right that people’s privacy is protected. When it is not, the Information Commissioner’s Office (ICO) can and increasingly will take action against those responsible.
Robert Morrisey, a charity worker, without any business need to do so and without the consent of his employer sent 11 emails from his work email account to his personal email account which contained the personal data of 183 people, included full their names, dates of birth, telephone numbers and also medical information.
Mr. Morrisey appeared at Preston Crown Court and admitted unlawfully obtaining personal data in breach of section 55 of the DPA. He was given a conditional discharge for two years and was also ordered to pay prosecution costs of £1,845.25, as well as a victim surcharge of £15.
The Head of Enforcement at the ICO, which brought the prosecution, said: “People have a right to expect that when they share their personal information with an organisation, it will be handled properly and legally.”
In 2017, the ICO also prosecuted other cases involving employees in local government, the NHS and the private sector who were caught prying into the personal data of patients, friends, colleagues or other people they knew without a valid or legal reason.
At the moment, section 55 offences can only be punished with a fine but the ICO has made it clear that it would like to see custodial sentences introduced as an option in the most serious cases.
Remember – just because you can, doesn’t mean you should.