News and Events

A Case Study on Client Data

View profile for Christopher Buck
  • Posted
  • Author

a case study on client data

Taking client data without permission is a serious matter. On 26 May 2016, Mark Lloyd, a former employee of Acorn Waste Management Limited, attended Telford Magistrates Court. He pleaded guilty to unlawfully obtaining client data, and was prosecuted under section 55 of the Data Protection Act 1998…

The case study

When Mark Lloyd was preparing to leave his job at Acorn Waste Management Limited to work for a rival company, he forwarded the details of 957 clients to his personal email address. The Information Commissioner’s Office confirmed that the documents Mr Lloyd emailed to himself contained details of clients’ personal information, including their purchase history and contact details.

Further to entering his guilty plea, Mr Lloyd was fined £300, ordered to pay a £30 victim surcharge and £405.98 in costs.

The facts

It’s a criminal offence to take client information, without permission, to a new job. Currently, the offence is only punishable in a Magistrates Court or Crown Court and by way of a fine.

The Information Commissioner’s Office has, and continues to argue, that the threat of prison, and other effective deterrent sentences, should be enforced, to prevent personal information, including client data, being unlawfully obtained.

It is essential for the eight principles of Schedule 1 of Part 1 of the Data Protection Act 1998 to be complied with by anyone who processes personal information. These eight principles are…

  1. Personal data should be fairly and lawfully processed
  2. Personal data should only be processed for limited and lawful purposes
  3. The personal data which is processed should be adequate, relevant and not excessive
  4. Personal data should be accurate and, where possible, kept up to date
  5. Personal data should be kept for no longer than is necessary
  6. The processing of personal data should be in accordance with the rights of data subjects under the DPA 1998
  7. Personal data should be stored securely so as to prevent accidental loss, damage and destruction
  8. Personal data should not be transferred, without adequate levels of protection, to a country or territory outside of the European Economic Area.

Businesses, individuals, partnerships, employers and employees all need to be aware of their responsibilities surrounding personal data and its ownership. Documents worked on and created by employees containing personal data remain the property of the employer, even when the employment ends

If you’d like further information about any of these issues or would like to arrange an appointment to see one of our Solicitors, please contact us on 01604 828 282.

Image courtesy of

Blog disclaimer