An individual who worked at the Crown Office and Procurator Fiscal Service (COPFS) headquarters in Glasgow has been charged with a criminal offence under the Data Protection Act 2018 (the DPA) and handed a £420 fine by Glasgow Sheriff Court. Her role within COPFS included tasks such as photocopying, scanning, filing and updating management systems. The woman undertook various searches between April to May 2019, including for information relating to a historical driving offence committed by her father, and for information relating to her then boyfriend. She was relatively new to her role in the High Court sexual offences team and claimed that she was performing the searches on her work system in order to better acquaint herself with the computer software.
The Sheriff was not convinced, and she was charged with recklessly obtaining personal data without consent.
More about the offence
Under Section 170 of the DPA it is a criminal offence for a person to knowingly or recklessly (i) obtain or disclose personal data without the consent of the controller, (ii) procure the disclosure of personal data to another person without the consent of the controller, or (iii) after obtaining personal data, retain it without the consent of the person who was the controller in relation to the personal data when it was obtained. To establish the offence, there must be an element of intent, implying that the individual accessing the data knew or was reasonably expected to know that they were not authorised to do so.
As a result, this individual now has a criminal record as well as having to pay the fine. She was dismissed from her role in October 2020 following an investigation.
Key takeaways
It is often forgotten that UK data protection legislation includes scope for individuals within an organisation to personally be held liable for criminal offences. In the midst of various high profile data protection related headlines, this conviction is a stark reminder for organisations to ensure that all staff, as a minimum, understand the basics of data protection law, and are aware of any associated risks of non-compliance which are pertinent to their roles.
The level of fine imposed in such situations is determined based on the severity of the breach and its impact on the affected individuals. In the most serious cases, imprisonment may be imposed as a penalty. It is hard to think of a stronger deterrent than making staff aware that they could be charged with a criminal offence for mishandling personal data.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our Privacy Notice.