The Information Commissioner's Office (ICO) has reported on the prosecution of a recruiter, Rebecca Gray in relation to unlawfully obtaining data. Rebecca Gray was, at the time, working for a recruitment agency in Widnes and prior to leaving to start a new role with a rival recruitment company, emailed the personal data of around 100 clients and potential clients to her personal email address. She used the information emailed in order to contact the individuals in the course of her new job.
Recruiters are generally cognisant of the non-solicitation and confidentiality obligations that they owe to their employers, as contained in employment contracts, but they often overlook the issue of data protection in relation to the personal information of clients. The Data Protection Act requires anyone who processes personal data to comply with eight "data protection principles". To breach these principles can be expensive, as Ms Gray has discovered.
A key point is that the data should only be used for the purpose for which it is collected - which is unlikely to include anything about transferring the data to a new employer.
Businesses should be cautious about client and candidate information brought to them by new employees - a warranty in writing could be obtained from the new employee to confirm that they will not be acting in breach of any existing obligations, such as restrictive covenants owed to previous employers or in relation to confidential information and data protection. If you know that the information is owned by the previous employer, you may be at risk of a claim, as well as the employee in question, if your business then processes that data.
You should ensure that your policies in relation to confidential information, data protection and information usage are clear, consistent, up to date and have been properly communicated to all staff.
Ms Gray pleaded guilty to the offence under section 55 of the Data Protection Act, and was fined £200, ordered to pay £214 prosecution costs and a £30 victim surcharge.