We live in a world that runs on data. Every time we sign up for a new service, buy a product online or even sign up for a newsletter, we leave a data trail behind. By law, we have some level of control over how companies use our data and have measures at our disposal to request they delete the data they hold– in certain circumstances.
Importantly, for the companies and institutions that hold information about us, there is protective legislation governing how they use that data. The Data Protection Act 2018 requires everyone to use data fairly, lawfully and transparently. Avoid falling foul of the law by ensuring your staff understand when they can and can't access customer data
The consequences of accessing data illegally
The consequences for individuals and businesses that run foul of this legislation can lead to costly legal proceedings and significant reputational damage.
Recently, a case went before the magistrate's court where the defendant was employed at South Warwickshire NHS Foundation Trust. Christopher O'Brien pleaded guilty to unlawfully accessing the medical record of 14 patients without a valid legal reason.
In this instance, the defendant accessed the records of people known to him without a valid business reason or the knowledge of the trust he worked for. This led to significant distress for the victims and reputational damage for the NHS Trust.
The defendant was ordered to pay £250 in compensation to 12 patients, totalling £3,000 in total.
The importance of training your staff to be data-aware
The above case is an unfortunate example of what can happen when personal data is accessed without a valid business reason. While you can't control the actions of certain rogue individuals 24/7, you can ensure adequate training is given, minimising the chances of data being accessed improperly.
For example, there are many instances where a business might need to access a client's data. However, the line between accessing that data legally and illegally can be a very fine one.
In a case where an architect is representing a client in preparing some plans to accompany a planning permission application, it might be required for the architect to access a google street view or google earth image of the client's property for a visual representation of the land and building in question.
However, if a receptionist at the architect's firm looked up the client's residence simply out of curiosity to see what the client's house looked like, this would be an improper use of personal data as there is no valid legal or business reason for that person to access such information.
Advising your staff of these nuances could be the difference between a compliant GDPR strategy and costly legal issues resulting in reputational damage.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.