ICO prosecutes employee under the Data Protection Act for forwarding client data to his personal email address
- 08 July 2026
- Privacy and Data Protection
The issue of employees taking confidential business information or personal data when moving to a new employer remains a significant concern for businesses. While technology has evolved, the legal and regulatory expectations surrounding the handling of personal data have become considerably stricter since the introduction of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
One of the ICO’s earlier prosecutions involved an employee of a waste management company who emailed details relating to 957 clients to his personal email account before leaving to join a competitor. The information included commercially sensitive material as well as customers’ personal data, including contact details and purchasing history. The employee was prosecuted for unlawfully obtaining personal data and received a financial penalty.
The case followed other prosecutions involving employees attempting to misuse customer information for commercial advantage. Although these cases pre-date the current UK data protection regime, they continue to illustrate the ICO’s willingness to pursue individuals who deliberately misuse personal data.
Since these prosecutions, the legal landscape has changed significantly. The UK GDPR and the Data Protection Act 2018 introduced a more comprehensive framework governing the use of personal data and strengthened the powers available to the Information Commissioner’s Office (ICO).
Individuals who unlawfully obtain, disclose or retain personal data may now face criminal sanctions under the Data Protection Act 2018 in appropriate circumstances. In addition, organisations that fail to implement appropriate technical and organisational measures to protect personal data can face substantial regulatory fines and enforcement action.
For employers, the risks extend beyond regulatory action. Employees who remove customer lists, pricing information or other confidential business information may also expose themselves to civil claims for breach of contract, breach of confidence, misuse of confidential information and, where applicable, infringement of intellectual property rights.
The issue of employees taking confidential business information or personal data when moving to a new employer remains a significant concern for businesses.
Businesses should not assume that data theft is purely an IT security issue. Effective protection requires a combination of legal, technical and organisational measures, including:
Although the ICO continues to take action against organisations that fail to protect personal data, individuals should not overlook their own responsibilities. Employees who copy customer information or other personal data before leaving an organisation may face regulatory investigation, criminal prosecution in appropriate cases, civil claims from their former employer and serious reputational consequences.
For employers, these cases serve as a timely reminder that prevention is more effective than cure. Strong contractual protections, well-managed offboarding procedures and effective cybersecurity controls can significantly reduce the risk of valuable business information walking out of the door with departing employees.
If you need advice on protecting confidential information or data protection compliance, contact our Data Protection team for expert guidance.
Keep up to date with the latest tips, analysis and upcoming events by our legal experts, direct to your inbox.
Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.