Have you ever suspected that employees who leave your business take your customers’ details with them when they go?

Individuals who do this can be fined up to £5,000 in a magistrates’ court or receive an unlimited fine in a Crown Court. Now, the Information Commissioner’s Office (ICO) is calling for tougher sanctions, including threatening prison sentences, to deter this from happening.

Unlawfully accessing and using personal data about customers can be hugely beneficial to those individuals seeking to start their own business, work at a competitor or who simply want to cause mischief.

It may feel like an unmanageable situation, but there are a number of things you can do from an HR and Employment Law perspective to control the risks.

Employees

If you don’t have a policy in place, then get someone who is legally qualified to draft one for you.

In your policy, you should reserve the right to look at the contents of all incoming and outgoing work emails and the history of the web pages browsed using work devices. You should also reserve the right to have a call recording system in place (for example, for training, quality or service delivery purposes). This may put employees off accessing and using data and also help you investigate matters if you suspect a breach.

Remember, employees are under an implied duty of fidelity. This means that if an employee does use or disclose confidential information without your permission, it could be considered to be gross misconduct and pave the way for summary dismissal.

If you notice someone covertly scanning or photocopying data or copying files onto an external drive, you can apply for an injunction to secure and recover the data that has been stolen.

Ex-employees

If employees do have access to sensitive or confidential data, then you should ensure you have robust post-termination restrictive covenants inserted into the employee’s Contract of Employment.

There are different types of provisions:

• a non-poaching covenant, to stop employees poaching former colleagues.
• a non-solicitation covenant, which means they cannot take your customers.
• a non-compete covenant, preventing the employee from working for a competitor.
• a confidential information covenant, which restricts the use of confidential information.

Great care must be taken when drafting these covenants to ensure they are enforceable, so make sure you get legal advice as soon as possible from our Employment Law Advisers.

If the worse has just happened…

If there has been a breach, then don’t ignore it. You need to think about notifying the individuals concerned. Interestingly, there’s no legal duty imposed on data controllers to report any breaches to the ICO.

Beware the law is changing

The EU General Data Protection Regulations come into force on 25^th May 2018, bringing about changes which businesses must start preparing for now.

In cases of data breaches, for example unauthorised access to personal data which is likely to result in a risk to the rights and freedoms of individuals, businesses must notify the relevant data protection authority without undue delay and where possible no later than 72 hours after the breach. Data subjects must also be informed without undue delay about breaches that could pose a high risk to their rights and freedoms.

If this is affecting your workplace, contact your Employment Law Adviser who can guide you.