The Information Commissioner’s Office (ICO) has advised that a former Leicester City Council employee has been fined after “unlawfully obtaining personal data”. Accessing confidential information without permission and a valid business reason to do so is an offence and can incur serious consequences.
It transpired that the ex-employee obtained details of users from the Adult Social Care Department. The council discovered the misuse after the employee had left the organisation and started his own business.
The initial investigation revealed that 34 emails had been sent to a private email account in February 2016. It was later revealed that the emails contained personal information about 349 individuals, including information on medical conditions, financial details, records of debt and details of care.
Steve Eckersley, head of ICO enforcement, said:
People’s personal data is protected by law and employees should not be helping themselves to information if they decide to set up a new business or move to a new position.
Employees need to understand the consequences of taking people’s personal information with them when they leave a job role. It’s illegal and when you’re caught, you will be prosecuted.
It is vital that organisations have the right security controls in place to prevent these attacks. Lack of user access management could allow unauthorised staff to gain access to highly sensitive customer information, which could then result in a data breach.
Educate your staff
Information security is critical within the business environment. Enrol your staff on our Information Security Staff Awareness E-Learning Course to give them a better understanding of what is expected of them.
The course advises staff on how to avoid becoming a security liability, introducing them to your internal policies on incident reporting and responses, and providing basic knowledge of information security best practice to reduce preventable mistakes.