A recent case has highlighted a potentially helpful mechanism in Data Protection legislation for employers to use if they are concerned about employees taking data when they leave.

Rebecca Gray was a recruitment consultant and joined a rival recruitment agency. She took the (not unusual) step of emailing her own personal email account with the contact details of approximately 100 existing and potential clients. She then used this data to contact the individuals when in her new job. The Information Commissioner (ICO) brought criminal proceedings against her under the Data Protection Act 1998 for unlawfully obtaining personal data; the wronged party being the former employer (as the data controller). The problem for Ms Gray was that, while those clients may have consented to providing their personal data to her old recruitment agency, they had not given permission for her to download it and take it to be used by another agency, or for any other purpose. Ms Gray, following her guilty plea: received a fine of £200, was ordered to pay £214 prosecution costs and a £30 victim surcharge. This is nothing compared to gaining a criminal record, as well as losing her new job, and potentially devastating her prospects for future employment in her chosen career.

Peter Stanway, our BackupHR™ legal expert comments:

Preventing and managing the potential misuse of such information can be challenging for businesses. The usual and more well known recourse is to sue, or at least threaten to sue, an employee for breach of confidentiality provisions and/or restrictive covenants which have (hopefully) been included in their employment contract. Although this is the right approach in some cases, and employers should always draft contracts to give themselves this option, it can ultimately be an expensive process. Employers, therefore, may be pleased to hear that the Information Commissioner (ICO) has shown that it is prepared to use its teeth, and bring criminal proceedings against departing employees for unlawfully obtaining and using personal data. This could prove to be an effective deterrent for employees who are considering taking data with them when they leave.

There has been reluctance from employers to bring a criminal complaint against their former employees, even in the most flagrant cases. The knowledge that criminal prosecution is a potential avenue which employers can pursue for data theft, is a powerful weapon.


  • Be vigilant when recruiting new hires who claim to be able to bring client lists, or other confidential business information which could contain personal data, across with them. The ICO could target a new employer if they are aware such information probably belongs to the former employer, but have chosen to use that personal data to their own advantage.
  • Employment contracts and handbooks should include well-drafted confidentiality provisions and restrictive covenants (where appropriate).
  • Ensure that any internal policies relating to confidential information and data protection are clear about any obligations, and are properly communicated to all staff.
  • Make sure that employees are aware of their obligations, and the consequences of breaching their employment contracts and the data protection legislation. Train staff to understand obligations around data usage and the sanctions for breach.
  • Ensure that the duty to return or destroy confidential information is covered in the employer’s leaver process and correspondence.

We are not suggesting that appropriate contractual provisions should be ignored; far from it. This case suggests a way for those whose data has been ‘stolen’, even if not subsequently used, to get some retribution and justice.

The guidance provided in this article is just that – guidance. Before taking any action make sure that you know what you are doing, or call us for a free initial chat on 01480 677980.