A paralegal has been convicted for taking client data with him when he left his role. Douglas Carswell MP denies taking Tory Party data, but what of his civil obligations with the data he has retained?
I blogged recently about the data protection implications of the news that Douglas Carswell MP was resigning his seat and seeking re-election as a UKIP MP. I mused on the fact that UKIP were reported to be “purring” over the data he was bringing with him, and I questioned whether, if this was personal data of constituents, his processing was compliant with his obligations under the Data Protection Act 1998. Paul Bernal blogged as well, and Paul was quoted in a subsequent article in The Times (which now seems to have been moved, or removed), in which Carswell defended himself against allegations of illegality
“Any data that the Conservative Party gathered while I was a member of the Conservative party is, was and must remain the property of the Conservative party.” He said that the suggestion that he had taken such information was “desperate briefing from within the Tory machine” and was extremely regrettable. The former MP did say, however, that he planned to use his own private data gathered during nine years as a Conservative MP. He insisted that he would not be sharing this with UKIP
With respect to Mr Carswell, this still doesn’t convince me that no data protection concerns exist. If by his “own private data”, he means information about constituents which is their personal data, then I would still argue that such use could potentially be in contravention of his civil obligations under the first and second principles in Schedule One to the Data Protection Act 1998. As I said previously
If constituents have given Carswell their details on the basis that it would be processed as part of his constituency work as a Conservative MP they might rightly be aggrieved if that personal data were then used by him in pursuit of his campaign as a UKIP candidate
Even if he didn’t share such data with UKIP, data protection obligations would clearly be engaged.
It seems to me that his quote to The Times was perhaps to refute any possible allegations that his use of data was criminal. A recent prosecution by the Information Commissioner’s Office (ICO) illustrates how taking personal data from one job, or one role, to another, without the consent of the data controller, can be a criminal offence. The offender was a paralegal at a Yorkshire solicitor’s practice who, before he left the firm, emailed himself (presumably to a private address) information, in the form of workload lists, file notes and template documents. However, the information also contained the personal data of over 100 clients of the firm. Accordingly, he was convicted of the offence at section 55 of the DPA, of (in terms) unlawfully obtaining personal data without the consent of the data controller. The fine was, as they tend to be for section 55 offences, small – £300, plus a £30 victim surcharge and £438.63 prosecution costs – but the offender’s future job prospects in the legal sector might be adversely affected.
The ICO’s Head of Enforcement Steve Eckersley is quoted, and though he talks in terms of “employees”, his words might well be equally applicable to people leaving elected posts
Employees may think work related documents that they have produced or worked on belong to them and so they are entitled to take them when they leave. But if they include people’s details, then taking them without permission is breaking the law
Mr Carswell was wise not to retain data for which the Conservative Party was data controller. But I’m still not sure about the (non-criminal) implications of his use of data for which he is data controller.