The consequences of getting data protection wrong: Former RAC employee fined for stealing data

The consequences of getting data protection wrong: Former RAC employee fined for stealing data

A former employee of car breakdown services company RAC has recently pled guilty and been hit with a fine for stealing the data of victims of road traffic incidents. Over the course of a single month in 2019, the RAC had received 21 complaints from customers who received calls from claims management companies following accidents in which RAC assisted.

A review of individuals that had accessed these claims found that Mr Asif Khan, 42, was the only employee to access all of them and an internal investigation conducted by RAC later uncovered suspicious behaviour from Mr Khan, including taking photos of his computer screen.

A search warrant executed by the ICO, seized two phones and a customer receipt for £12,000, with the phones containing information relating to over 270 road incidents. After pleading guilty to two counts of data theft in breach of Section 170 of the Data Protection Act 2018 in January 2023, Mr Khan was fined £5,000 and ordered to pay a victim surcharge and court costs.

Senior data protection and privacy solicitor, Becky White, commented:

This case is interesting as it highlights that even though employers may not be able prevent a rogue employee from acting criminally if they are so inclined, there are steps that an organisation can take to minimise exposure and ultimately their risk profile. 

Keeping an up-to-date information risk assessment with a view to ensuring that appropriate technical and organizational measures are always implemented is a good place to start. Furthermore, employers should also be prudent to ensure that all staff are appropriately trained on data protection and fully aware of their own data protection roles and responsibilities, as ensuring a culture of compliance and accountability is created and maintained at all times is key.

Ensuring your employees understand their responsibilities under UK GDPR and data protection laws can be difficult but it is also crucial as getting data protection wrong can have serious consequences for your business. Our team of data protection solicitors can clarify these laws, removing any legalese or jargon. Our data protection health check comes with a series of training materials that can help employers to understand what it means to be UK GDPR compliant.


Our offices

A national law firm

A national law firm

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Head Office

Floor 5, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Regional Spaces

Capital Tower Business Centre, 3rd Floor, Capital Tower, Greyfriars Road, Cardiff, CF10 3AG
Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
10 Fitzroy Square, London, W1T 5HP
Harwell Innovation Centre, 173 Curie Avenue, Harwell, Oxfordshire, OX11 0QG
1st Floor, Dearing House, 1 Young St, Sheffield, S1 4UP
White Building Studios, 1-4 Cumberland Place, Southampton, SO15 2NP
A national law firm

To access legal support from just £145 per hour arrange your no-obligation initial consultation to discuss your business requirements.

Make an enquiry