Employment Law and Data Protection

Employment lawyers have tended to see data protection as an employee weapon; in particular the strategic fishing expedition subject access request as a precursor to High Court or Tribunal claims. But there is at least one angle from which the DPA can be used as a weapon of attack by employers against former employees. Where an employee leaves their employer and takes a client list with him, not only will he be in breach of the usual restrictive covenants he is likely to have, but he may also have committed a criminal offence under section 55 DPA.A reminder of this comes from the recent conviction of a Mr Mark Lloyd who, when leaving his employment at a waste management company, emailed to himself a list of 957 customers of the company. Mr Lloyd was off to work for a rival, and the list contained personal information including the contact details and purchase history of customers and commercially sensitive information. So far, so standard practice for those working in the High Court employment world. Ordinarily one would be off to the High Court seeking an injunction to enforce any restrictive covenants (if they have been sensibly drafted) and confidential information provisions.

But on this occasion, Mr Lloyd was reported to the Information Commissioner, who prosecuted him for a breach of section 55 of the DPA. Section 55 makes it a criminal offence knowingly or recklessly, without the consent of the data controller, obtain or disclose personal data, or procure the disclosure of personal data to another. (There are various defences in section 55(2).) In this sort of standard employment scenario, there will very often have been an offence committed and so it proved in the case of Mr Lloyd, who was convicted and fined £300, plus costs and a victim surcharge.

As weapons go, section 55 is not ideal. By section 60, a prosecution can only be brought by the Commissioner or with the consent of the DPP. A private prosecution is likely to be rare, at best. It is also a perennial complaint of the Commissioner that the sanctions are too low. But an aggrieved employer looking to exert pressure would be well advised to report its former employee who has purloined customer details to the Commissioner to commence an investigation into a section 55 prosecution, or threaten to seek the consent of the DPP. Of course this will only work where the customers are individuals rather than companies but it will often be the case that at least some of the data is personal to an individual. The fact that a criminal offence has been committed may also assist the employer in making out economic tort claims based on unlawful activity.

On this subject, employment lawyers will also wish to note that the final text has now been agreed of the new EU Trade Secrets Directive (244/2016/EU), on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure. It has not yet been published in the Official Journal, but when it is there will be a two year period before it enters into force. The final version of the text is here. The Directive is likely to have a significant role to play in clarifying (after initially confusing) a complicated area of English law on a cross-border basis.

Christopher Knight