An investigation by the Information Commissioner’s Office (ICO) found that the worker, an apprentice in the schools admissions department took a screenshot of a council spreadsheet concerning children and their eligibility for free school meals. She then sent it to the estranged parent of one of the pupils via Snapchat. The image included the names, addresses, dates of birth and National Insurance numbers of 37 pupils and their parents. She also sent a copy of a school admission record relating to another child.
The defendant was at the time employed as an apprentice at Southwark Council and had received training in data protection. She declined to answer any questions when interviewed by the ICO.
The defendant pleaded guilty to three offences of unlawfully obtaining and disclosing personal data, in breach of section 55 of the Data Protection Act 1998. She was fined £850 and ordered to pay £713 prosecution costs at Westminster Magistrates’ Court.
This case is a reminder to us all that we need to be considering the 8 fundamental data protection principles at all times when we are processing personal data. Sending personal data via Snapchat and behaving in the manner set out above, breaches those fundamental principles – and this employee had received data protection training!
It is also a reminder that as employers, we need to be demonstrating our compliance with data protection principles – particularly with regard to security.
If you would like any further information on how businesses can demonstrate compliance with the GDPR, please contact me.