Q. Is my company in breach of the Data Protection Act (DPA) and liable to be fined if my employee loses their own personal device holding company information?
A. The DPA applies to the processing (www.practicallaw.com/0-200-3426) by data controllers (www.practicallaw.com/5-107-5723) of personal data (www.practicallaw.com/8-200-3413) relating to data subjects (www.practicallaw.com/0-107-5725).
A breach of the DPA may result in the data controller, often the company or employer, being liable for a substantial fine up to £500,000. To avoid contraventions of the DPA companies should consider appointing a data-compliance officer and implementing relevant company policies. Employers should be particularly vigilant about the contents of any employment contracts and consider whether they make sufficient provisions for breaches of the DPA.
To emphasise the stringent approach under the DPA, a company may even be liable where a device is lost or stolen and contains or allows access to personal data of the company and/or that device is inadequately encrypted. This is particularly important where a firm operates a ‘Bring Your Own Device’ (BYOD) policy.
The Information Commissioner’s Office website offers valuable guidance to data controllers.
Andrew Hornsby, Partner