But not the type of record sales typically sought by an employer.
Former T-Mobile employee David Turley pleaded guilty last week to 18 charges brought against him under section 55 of the Data Protection Act, which prohibits unlawfully obtaining personal data.
Mr Turley stole customer information from T-Mobile, including customer's names, contact details, and contract details. He sold this information on to competitors of T-Mobile who, in turn, used the information to cold call and poach customers who were nearing the end of their T-Mobile contracts.
Mr Turley is yet to be sentenced, and one of his co-workers allegedly involved in the theft is yet to be tried; however the Information Commissioner has called for tougher penalties to be imposed upon those involved in the theft of personal data.
Whilst in this scenario the employees have been found liable, it could have been an entirely different call if T-Mobile had failed, as a data controller, to train their staff adequately on the importance of data protection, provide their staff with clear data protection procedures, and impose adequate safeguards against the theft of personal data.
All data controllers (that is anyone who determines the purposes for which and the manner in which any personal data is to be processed) must also ensure that personal data is not retained any longer than is necessary, and must ensure that adequate measures are put in place not only to prevent the unauthorised or unlawful processing of personal data, but also to prevent the loss, destruction or damage of personal data.
If these steps are not taken, you may find yourself at the receiving end of a claim for breach of the Data Protection Act 1998 and consequently liable to pay any associated fines, which, if the Information Commissioner has his calls answered, could be significantly in excess of the cost of ensuring adequate procedures and safeguards are in place to prevent such breaches. If your employees are adequately trained, and you have taken adequate steps to ensure the security and protection of personal data, it will be the employee who breaches the provisions that has to answer to the Information Commissioner.
Disclaimer
The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.