To print this article, all you need is to be registered or login on Mondaq.com.
We live in a world that runs on data. Every time we sign up for
a new service, buy a product online or even sign up for a
newsletter, we leave a data trail behind. By law, we have some
level of control over how companies use our data and have measures at our disposal to request they
delete the data they hold– in certain circumstances.
Importantly, for the companies and institutions that hold
information about us, there is protective legislation governing how
they use that data. The Data Protection Act 2018 requires
everyone to use data fairly, lawfully and transparently. Avoid
falling foul of the law by ensuring your staff understand when they
can and can’t access customer data
The consequences of accessing data illegally
The consequences for individuals and businesses that run foul of
this legislation can lead to costly legal proceedings and
significant reputational damage.
Recently, a case went before the magistrate’s
court where the defendant was employed at South
Warwickshire NHS Foundation Trust. Christopher O’Brien
pleaded guilty to unlawfully accessing the medical record of 14
patients without a valid legal reason.
In this instance, the defendant accessed the records of people
known to him without a valid business reason or the knowledge of
the trust he worked for. This led to significant distress for the
victims and reputational damage for the NHS Trust.
The defendant was ordered to pay £250 in compensation to
12 patients, totalling £3,000 in total.
The importance of training your staff to be data-aware
The above case is an unfortunate example of what can happen when
personal data is accessed without a valid business reason. While
you can’t control the actions of certain rogue individuals
24/7, you can ensure adequate training is given, minimising the
chances of data being accessed improperly.
For example, there are many instances where a business might
need to access a client’s data. However, the line between
accessing that data legally and illegally can be a very fine
In a case where an architect is representing a client in
preparing some plans to accompany a planning permission
application, it might be required for the architect to access a
google street view or google earth image of the client’s
property for a visual representation of the land and building in
However, if a receptionist at the architect’s firm looked
up the client’s residence simply out of curiosity to see what
the client’s house looked like, this would be an improper use
of personal data as there is no valid legal or business reason for
that person to access such information.
Advising your staff of these nuances could be the difference
between a compliant GDPR strategy and costly legal issues resulting
in reputational damage.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Privacy from UK