A former employee of car breakdown services company RAC has recently pled guilty and been hit with a fine for stealing the data of victims of road traffic incidents. Over the course of a single month in 2019, the RAC had received 21 complaints from customers who received calls from claims management companies following accidents in which RAC assisted.
A review of individuals that had accessed these claims found that Mr Asif Khan, 42, was the only employee to access all of them and an internal investigation conducted by RAC later uncovered suspicious behaviour from Mr Khan, including taking photos of his computer screen.
A search warrant executed by the ICO, seized two phones and a customer receipt for £12,000, with the phones containing information relating to over 270 road incidents. After pleading guilty to two counts of data theft in breach of Section 170 of the Data Protection Act 2018 in January 2023, Mr Khan was fined £5,000 and ordered to pay a victim surcharge and court costs.
Senior data protection and privacy solicitor, Becky White, commented:
This case is interesting as it highlights that even though employers may not be able prevent a rogue employee from acting criminally if they are so inclined, there are steps that an organisation can take to minimise exposure and ultimately their risk profile.
Keeping an up-to-date information risk assessment with a view to ensuring that appropriate technical and organizational measures are always implemented is a good place to start. Furthermore, employers should also be prudent to ensure that all staff are appropriately trained on data protection and fully aware of their own data protection roles and responsibilities, as ensuring a culture of compliance and accountability is created and maintained at all times is key.
Ensuring your employees understand their responsibilities under UK GDPR and data protection laws can be difficult but it is also crucial as getting data protection wrong can have serious consequences for your business. Our team of data protection solicitors can clarify these laws, removing any legalese or jargon. Our data protection health check comes with a series of training materials that can help employers to understand what it means to be UK GDPR compliant.