Thinking of taking client or colleague data to a new role? Think again, following a warning from the ICO
Recently the Information Commissioner’s Office (ICO) issued a stark warning to individuals who take client personal information to a new job. The warning followed the criminal conviction in September 2014, of a paralegal who unlawfully took the sensitive information of over 100 individuals without the permission of his employer, in anticipation of moving to a new role. The information which included workload lists, file notes and template documents, contained sensitive personal data of individuals in ongoing legal proceedings.
The paralegal was prosecuted under section 55 of the Data Protection Act (DPA) 1998, which makes it an offence to unlawfully obtain personal data either knowingly or recklessly without the consent of the data controller. The paralegal was fined £300, ordered to pay a victim surcharge and prosecution costs.
Implications for partners
This case is important for those partners considering a move. Whilst removing client information without permission will normally amount to a breach of the already high standard of loyalty and good faith a partner (including LLP member) is likely to owe to their firm, a criminal conviction brings with it perilous additional consequences for a partner on the move.
Where a partner unlawfully obtains or misuses without consent “personal data” which is, broadly, data relating to a living individual who can be identified from that data, the partner faces the risk of criminal prosecution. Personal data relating, for example, to individual clients (including named individuals at corporations) or indeed to colleagues and team members, which, for example, forms part of a business plan could expose the partner to serious consequences. The repercussions for professionals are unlikely to end with an ICO prosecution: a criminal prosecution may well lead to disciplinary action by a regulatory body with potentially career-threatening consequences.
Partners and all of those working in professional practices therefore need to be aware of this risk, particularly if potential new firms or recruiters request data identifying individuals (be it client names or team members) from the partner. This is in addition to the risk of breaches of express, implied and possibly fiduciary duties owed to the firm as a result of unauthorised disclosure or use by the partner of such information.
Implications for Firms
For firms, this conviction is also significant. It is a reminder that firms – as data controllers – must have in place appropriate security to prevent personal data being accidentally or deliberately compromised, including (but not limited to) training staff on data protection (with appropriate policies and procedure); having in place the correct security to protect that data; and being ready to respond to any data breach.
Firms should ensure that they remind departing partners – ideally in writing – of their obligations under the DPA 1998 in respect of client confidential information and also in respect of any contractual provisions relating to confidential information which also bind them.
Should a firm be confronted with an errant partner who has unlawfully obtained client data, the threat of a potential criminal conviction may help the firm in recovering that data. Whilst the conviction in this case was (and would be) sought by the ICO rather than by the firm, the potentially negative ramifications for partners are career-threatening. If there has been, or you suspect a data breach, the ICO sets outs helpful guidance on the steps you should be taking as a data controller: http://ico.org.uk/for_organisations/data_protection/the_guide/principle_7#breach
Summary
The recent ICO prosecution is a cautionary warning to partners and senior professionals of the risks of unlawfully misusing or taking client or colleague information to their new employer or firm. The ICO is pressing for more effective deterrent sentences – including the threat of prison – to stop the unlawful use of personal information, so partners should carefully consider what information they can provide to others when they are on the move.