Employee Confidentiality and Data Theft: Recent UK Developments

February 10, 2021, Covington Alert

In this alert we look at a recent decision by the UK Court of Appeal and a separate prosecution brought by the Information Commissioner’s Office (“ICO”; the UK data protection authority), which together serve as a cautionary tale for employees and prospective future employers of the risks of civil liability and criminal conviction for confidential information and data theft.

Clear contractual terms and policies, supplemented by training, remain critical tools for employers seeking to deter employees from misappropriating corporate information. Employers may wish to make use of these examples to underscore the importance of compliance.

Travel Counsellors Ltd v Trailfinders Ltd [2021] EWCA is an important case that explores the circumstances creating a duty on a new employer to protect confidential information belonging to the previous employer. An equitable duty of confidence arises if a recipient of information knows or ought to have known that it is confidential.

Several employees left Trailfinders in order to engage with Travel Counsellors Ltd (“TCL”) as franchisees. They were encouraged to bring customer contacts with them, and accordingly took various steps to access Trailfinders’ proprietary databases in order to compile relevant customer information that they might use for their own benefit, and for the benefit of TCL.

The High Court and the Court of Appeal found that TCL’s senior management would or should have been aware: i) that the information provided by former Trailfinders employees was likely to have been copied from Trailfinders’ systems; and ii) that Trailfinders would reasonably have regarded it as confidential. Nevertheless, TCL did not ask for information about the source of the information, or the extent to which Trailfinders might have sought to protect it. TCL therefore breached its equitable obligation of confidence to Trailfinders.

Importantly, the Court of Appeal held that knowledge/notice of confidentiality had to be assessed by reference to the actions of a reasonable person in the recipient’s position. If that person would have made enquiries upon receipt of information that might be confidential, while the defendant recipient made none, an equitable obligation of confidence arises. It is not always necessary to prove that the defendant recipient deliberately turned a blind eye - depending on the circumstances, the absence of reasonable enquiry may be sufficient to establish liability. TCL was therefore liable for a breach of the equitable duty of confidence.

The individual employees concerned were also found to be in breach of their contracts of employment and of equitable obligations of confidence to Trailfinders in an earlier decision by the Intellectual Property Enterprise Court.

The ICO recently published details of its prosecution of a motor industry employee who, during her employment, compiled and transferred road traffic accident data without the authorization of her employer. The employee sold the personal data to an accident claims management firm which used it to make nuisance calls.

The employee was found to have committed offences under the Computer Misuse Act 1990, section 1 of which refers to causing a computer to perform a function with intent to secure access to any program or data held on that computer.

The employee has been sentenced to eight months’ imprisonment, suspended for two years, and must also carry out 100 hours’ unpaid work, contribute £1,000 in costs and repay a benefit figure of £25,000. The director of the accident claims management firm which received the data received a similar sentence after pleading guilty to conspiracy to secure unauthorized access to computer data.

An employee who obtains, retains or discloses personal data without the consent of the data controller (which will often be their employer) may also commit a criminal offence under section 170 of the Data Protection Act 2018 (“DPA”). Such action may also constitute a reportable data breach under the DPA and the UK General Data Protection Regulation.  

The ICO has the power to take action to change the behavior of organizations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit. 

The UK Supreme Court’s decision in 2020 in the case of Wm Morrison Supermarkets plc v Various Claimants [2020] UKSC 12 confirmed that that an employer cannot be held liable for actions of an employee who commits an illegal act in pursuance of their own independent venture that is unrelated to activities they are authorized to undertake on behalf of their employer. While this decision will give some comfort to employers, companies nonetheless risk very significant revenue-based fines and claims for compensation by data subjects if personal data is not sufficiently protected by adequate safeguards.

If you have any questions concerning the material discussed in this client alert, please contact the following members of our Employment and Data Privacy practices.