1. Skip to Content
  2. Skip to Navigation
Toggle Menu


More news

Data Protection in the Workplace

04 Mar 2016

An employee of Enterprise Rent-A-Car, who sold 28,000 customers’ records in return for £5,000, has been fined by a court.

The administrative assistant was responsible for processing customer details sent to the car rental company by an insurance firm. The details included information about both the policyholder and their insurance claim.

Enterprise Rent-A-Car contacted the Information Commissioner’s Office (ICO) after it discovered the assistant was looking at a large number of records, including many that she would not have been expected to process and found that she had been taking photos of the records while on her PC screen, and then selling these pictures for cash.

The defendant pleaded guilty to unlawfully obtaining, disclosing and selling personal data, a criminal offence under the Data Protection Act 1998 (“DPA”). She was fined £1,000, ordered to pay a £100 victim surcharge and £864.40 in prosecution costs. The court also made a destruction order in respect of any data held by the defendant.

Currently, courts can issue unlimited fines for the offence, but the Information Commissioner has called for stronger sentencing powers for people convicted of stealing personal data, to discourage ‘would-be data thieves’. It has been suggested that possible sentencing powers should include suspended sentences, community service, and even prison in the most serious cases.

This case serves as a reminder that businesses must put in place appropriate technological and organisational security measures to comply with data protection legislation. Businesses should train staff on the importance of data protection and ensure that they understand the dangers of unlawfully obtaining, disclosing, buying or selling personal data, for example, by alerting their staff to the risks of people trying to obtain personal data by deception.

Any person or business that processes personal information must comply with eight principles of the DPA which make sure that personal information is:

  • Fairly and lawfully processed;
  • Processed for limited purposes;
  • Adequate, relevant and not excessive;
  • Accurate and up to date;
  • Not kept for longer than is necessary;
  • Processed in line with your rights;
  • Secure and confidential; and
  • Not transferred to other countries without adequate protection.

There could be serious financial, commercial and reputational implications for a business (including possible criminal penalties and fines) if personal data is not handled properly.

For further information, please contact Jonathan Waters, Corporate Partner at Hay & Kilner.

Call: 0191 232 8345